110 likes | 331 Views
Corporate Finance Connecting the business of the University to the Real World. HES Finance Systems Network Case Studies in University Finance PCI DSS Compliance. Edward Eacock Manager Financial Systems & Projects Queensland University of Technology 5 March 2013 .
E N D
Corporate Finance Connecting the business of the University to the Real World HES Finance Systems Network Case Studies in University Finance PCI DSS Compliance Edward EacockManager Financial Systems & ProjectsQueensland University of Technology5 March 2013
Sessional Academic Appointments Corporate Finance Connecting the business of the University to the Real World Sessional Academic Appointments What is PCI DSS Compliance? The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. Has been adopted by the major payment card providers;
Sessional Academic Appointments Corporate Finance Connecting the business of the University to the Real World Sessional Academic Appointments When is PCI DSS Applicable? PCI DSS applies wherever account data is stored, processed or transmitted. Cardholder Data includes: Primary Account Number (PAN) * Cardholder Name Expiration Date Service Code *If PAN is not stored, processed or transmitted, PCI DSS requirements do not apply.
Corporate Finance Connecting the business of the University to the Real World Sessional Academic Appointments Requirements to meet PCI DSS Compliance? • PCI Data Security Standard – Key obligations; • Build and maintain a secure network. • Protect cardholder data. • Maintain a Vulnerability Management Plan. • Implement Strong Access Control Measures. • Monitor & Test Networks. • Maintain and Information Security Policy.
Sessional Academic Appointments Corporate Finance Connecting the business of the University to the Real World Sessional Academic Appointments QUT Obligations QUT has been has identified as requiring PCI DSS Merchant compliance Level 3* obligations and must; Submit a PCI DSS Self Assessment Questionnaire D and Attestation of Compliance Submit results of security scans undertaken by an Approved Scanning Vendor undertaken in accordance with the PCI DSS Security Scanning Procedures *Level 3 obligations are determined as an organisation that processes 20,000 to 1 million e-commerce transactions annually
Sessional Academic Appointments Corporate Finance Connecting the business of the University to the Real World Sessional Academic Appointments PCI DSS Activities to Date Undertaken audits of; EFTPOS Terminals at QUT Payment Gateways Payment Card processors Networks potentially carrying payment card traffic Servers potentially holding payment card data Engaged assistance from Assurance & Risk Management Services (ARMS) Engaged assistance from Information Technology Services Engaged assistance from a Qualified Security Assesor (QSA) to review remediation plans and undertake Security Scans.
Sessional Academic Appointments Corporate Finance Connecting the business of the University to the Real World Sessional Academic Appointments PCI DSS Activities to Date QUT has made the decision to remove the Card Holder Data Environment (CDE) from the QUT data network. The is due to the complexity of the QUT network and the cost of maintaining a CDE in this environment. This is a significant undertaking but will result in a simplified structure in which to maintain PCI DSS compliance. Update EFTPOS terminals to PCI DSS compliant devices and remove them from the data network by installing dial-up lines.
Sessional Academic Appointments Corporate Finance Connecting the business of the University to the Real World Sessional Academic Appointments PCI DSS Activities to Date Payment Gateways Activities have included; Parking – Install a new Pay and Display Solution GPRS Based EFTPOS Terminals Payment Card Processors Activities have included; Outsource the risk Required to provide QUT with compliance notification Note: QUT is not deemed PCI DSS compliant until QUT is in receipt of compliant notifications from all payment card processors.
Sessional Academic Appointments Corporate Finance Connecting the business of the University to the Real World Sessional Academic Appointments PCI DSS Activities to Date Paper based solutions Identified the potential for storage of paper based payment card information stored at QUT Where appropriate install stand alone dial up EFTPOS terminals Network Penetration Scanning Scanning may not be required if QUT can achieve a configuration that does not have a CDE on the QUT network. PCI DSS Network scans must be undertaken by an Approved Scanning Vendor (ASV).
Sessional Academic Appointments Corporate Finance Connecting the business of the University to the Real World Sessional Academic Appointments PCI DSS Discussion Discussion Points The challenge is to meet the needs of the business while providing a PCI DSS compliant solution? Defining the Credit Card Data Environment (CDE) is the most critical PCI DSS activity? What remediation must Universities do once the CDE has been defined to become PCI DSS compliant? Experience with Inconsistent interpretation of PCI DSS from Qualified Security Assessors (QSA) and technology providers? (At QUT this has been primarily CDE Definition)