1 / 17

Enhancing PCI DSS Compliance at St. Andrews: A Lean Approach Case Study

Explore how St. Andrews implemented Lean philosophy to meet PCI DSS requirements, findings, and next steps for secure card data handling.

vachel
Download Presentation

Enhancing PCI DSS Compliance at St. Andrews: A Lean Approach Case Study

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PCI DSS Case Study:St Andrews Journey Eric Gillespie University of St Andrews

  2. PCI DSS Case Study:St Andrews Journey

  3. So What does PCI DSS stand for? Pay Cash In Personal Combined Income Pretty Crap Investments Presbyterian Church of Ireland Please Come In Pretty Common Injury Photo Copy Ing

  4. Overview: PCI DSS requirements The main PCI DSS requirements for merchants are:

  5. The Plan

  6. LEAN • LEAN is a philosophy of work. It is an approach that has grown from the application of two key concepts: • Continuous improvement • Continuously looking at your work processes and striving to improve them (by, for example, using the Plan-Do-Check-Act improvement cycle) • Respect for people • Remembering that our staff are our greatest asset. It is, after all, the staff of an organization who, in our experience, know what works well and what needs to be improved, and who have the ability to suggest and make the necessary improvements

  7. The Plan

  8. Back in 2009 – Identified Stakeholders • Schools/Units were Identified • Finance • IT Services • Students Association • Halls of Residence • Sports Centre • Music Centre • Library • Conference & Group Services • Print & Design • Museum • Open Association

  9. Back in 2009 – Planning • Finance & LEAN Staff • Identified key personnel in each School/Unit • Invited them to 3 day LEAN session • Involved around 6-8 core staff in total • Requested key person to bring as much info as possible • Explained to them the purpose • Explained the clear goal

  10. What were our Findings? • Card Details were being received • Online • In Person • Telephone • Fax • Booking Forms • Letter • Email • Sent to Finance internally via email

  11. What were our Findings? • Card Details were being processed • Card Payment Gateway • Recurring Card Plans • RCP’s – card expired • Manual RCP’s • PDQ machines – customer present • PDQ machines – customer NOT present • Manual Card machine

  12. What were our Findings? • Card Details were being stored • Third Party Server • In a Safe • Lockable Cabinet/Drawer • Shredded

  13. What were our Findings? • Card Details were also being Stored • On Computers • On shared drives • In unsecured rooms • In unlocked drawers • In waste paper bins crumpled up • On desks left lying unattended

  14. Next Step in 2009 Implementing Change • We wrote a card policy of all the do’s and don'ts • We encouraged the use of Online Bookings/Payments • We cross-shredded all paper copies of card details • We discouraged the use of Booking Forms • We ran scans on PC’S for card details • We stopped accepting card details over the phone – students were asked to self-service • We circulated new policy to all the relevant parties

  15. Next Step in 2009 Compliance • Passed copy of our new Policy to Barclaycard • Used SecurityMetrics for completing SAQ • Stated on our Web – PCI compliant • Review after 6-8 weeks

  16. 2012 • Renew Compliance Annually • Monitoring Schools & Units • Review and Update Policy

  17. Summary • St Andrews is 600 years old (1413-2013) • HRH Prince William: • In true St Andrews style, and despite the great mathematicians whom its halls have produced, we still can’t work out exactly how old we are. Are we 600 this year…next year…or is it the year after that? What does it matter? Let’s celebrate for 3 years. • 597 years to become PCI compliant 

More Related