PCI Compliance Harvard University - PowerPoint PPT Presentation

1 / 38
About This Presentation
Title:

PCI Compliance Harvard University

Description:

Analyze impact of moving all web based merchants to the CCS, when & how ... Mandate use of central Credit Card Service (CCS) Mandate online registration vendor ... – PowerPoint PPT presentation

Number of Views:72
Avg rating:3.0/5.0
Slides: 39
Provided by: genem4
Category:

less

Transcript and Presenter's Notes

Title: PCI Compliance Harvard University


1
PCI ComplianceHarvard University
  • Presented By
  • Cheryl Margey
  • Gene Madden

2
Agenda
  • Harvard Credit Card Environment
  • First Steps
  • Approach
  • Initial Certification
  • Current Project
  • Lessons Learned
  • Next Steps

3
Harvard Credit Card Environment
  • 120 Credit Card Merchants across University
  • Centralized Treasury service
  • Decentralized IT across University
  • Culture ETOB (every tub on its own bottom)
  • Schools/units make decision on acceptance of
    credit card payments
  • Did their own web development
  • Pay all credit card fees
  • Post activity to general ledger

4
First Steps
  • Aug. 31, 2004, received notification of PCI
    requirement to enroll with 3rd party assessor
  • Categorized as tier 2, compliance deadline
    6/30/05
  • Communicated compliance mandate to senior
    management and CFO
  • Decided central approach would be needed to
    ensure Harvards overall compliance
  • Brought Internal Audit and University Information
    Services (UIS) into the process
  • Interviewed 3 certified assessors selected
    Ambiron Trustwave (ATW)
  • Presented PCI compliance mandate and potential
    risk to
  • Financial Deans Managers
  • University Technology Advisory Group Central
    Administration IT
  • Merchants
  • Explored use of a previously developed central
    credit card service.
  • Initially funded by CIO to get it started

5
Approach
  • Senior Management Commitment
  • CFO message to all merchants
  • University was not willing to assume the
    financial or reputational risk associated with a
    potential breach

6
Approach (cont)
  • All merchants were required to achieve compliance
    by June 30th, 2005
  • Deactivation of any merchant not in compliance
    by that date
  • Mandatory use of central credit card server for
    all new development

7
Initial Certification
  • Challenges
  • Insufficient merchant data
  • IT Finance needed to work together
  • Inconsistent information from acquirer on what
    level we were or who needed to be certified
  • Inconsistent Interpretation of standards
  • Evolving process no subject matter expertise
  • First Steps
  • Launched a survey to collect data for
    evaluation
  • Primary business and technical contact
  • Method of credit card processing
  • Where site was hosted
  • If they stored cc data and where
  • IP address and/or URL

8
Initial Certification (cont)
  • ATW Trustkeeper Portal
  • Centrally grouped merchants enrolled in portal
  • Required each merchant to complete questionnaire
    schedule a scan to identify vulnerabilities and
    maximize time to resolve them
  • Monitored results in portal worked with non
    compliant merchants
  • Developed categories in portal (scan or no scan)
  • Reviewed verified IP addresses to be scanned
  • Defined Merchant versus central responsibilities
    on Questionnaire
  • Communication
  • Developed a credit card compliance website
  • Communicated issues policies via email
  • Posted all communication to website
  • Posted 4 pre-populated questionnaire to website
  • Held Weekly conference calls with ATW, RMAS UIS
  • Held large group forums
  • Met with many merchants individually
  • Provided reports updates to Financial Dean

9
Merchant Response
  • Underwhelming
  • Contacted Financial deans
  • Letter from CFO to Financial Deans
  • Message - no extensions
  • Sudden motivation in May

10
Final Results
  • 70 groups 120 merchants
  • 2 voluntarily deactivated
  • 2 failed to meet deadline
  • Primarily due to late start
  • 1 Temporarily suspended (1 week)
  • 1 Deactivated ( came back several months later)
  • 66 groups certified compliant

11
Immediate Aftermath
  • Worked with late starters to reach compliance
  • First Quarterly scan to fail (7/2)
  • Uneasy feeling about several merchants
  • Identified several departments for audits

12
Longer Consequences
  • Some departments treated it as a single event
  • No monitoring infrastructure
  • Personnel changes

13
Next Steps.
  • Develop guidelines of who qualifies to be a
    merchant
  • Develop standardized IT infrastructure for
    accepting cc
  • Perform audits on merchants who achieved
    compliance
  • Develop monitoring procedure both centrally at
    merchant level
  • Analyze impact of moving all web based merchants
    to the CCS, when how
  • Keep project escalated seek approval to hire
    project manager
  • Develop task plan executive working committee

14
2006 PCI Initiative
  • Hire a Fulltime 6 month position- funded
    centrally
  • Establish a Executive Working Committee
  • Treasury Management
  • Risk Management and Audit Services
  • University Technology Security Officer
  • University Information Systems

15
Objective
  • Standardize methods of accepting Credit Cards at
    the University
  • Mandate use of central Credit Card Service (CCS)
  • Mandate online registration vendor
  • Develop and document Policies and Procedures
  • Mandatory Deactivation for non-compliance
  • Defined roles responsibilities of offices in
    working group and sign-off from each office

16
Categories of Work
  • Ensuring Infrastructure
  • Where we had processes or systems already but
    improvements were needed
  • Infrastructure needed
  • Where we recognized a need but had nothing in
    place
  • Policies and Procedures
  • More formal documentation of processes

17
Tasks
  • PCI procedures and processes
  • Standardized central breach responsibilities and
    processes
  • Online Registration
  • Alternatives for web payments (e.g. PayPal)
  • Enhancements to CCS

18
Documents Created
  • Documents for Departments
  • Merchant Handbook
  • Exceptions to using central CCS
  • Web hosting Requirements
  • Documents for Cash Management
  • New Merchant Setup
  • PCI Monitoring
  • PCI Breach

19
Merchant Handbook
All responsibilities of Merchant
  • Request
  • Approval
  • Certification
  • Ongoing monitoring
  • Breaches
  • Reference policies
  • Costs
  • Reference web hosting requirements
  • Posting and reconciliations
  • Audit requirements

20
Exceptions to using central CCS
  • Exceptions for off the shelf software
  • No exceptions for locally developed software
  • Requires CM CIO Approval

21
Web Hosting Requirements
  • CCS or Service Provider Users
  • Require scan of local site and audits every 5 yrs
  • Local Acceptance of Credit Cards
  • Pre approval of web hosting environment and
    audits every 3 yrs
  • Local Storage of Credit Cards
  • Pre approval of hosting environment and annual
    audits at department expense

22
New Merchant Setup
  • Approval of Fin Dean Cash Management
  • Criteria for creating new accounts
  • Compliance built in to start up process
  • Pre-review of PCI standards and questionnaire
  • Require certification certificate prior to
    transacting

23
PCI Monitoring
  • Annual Certification
  • Monitoring Quarterly Scans
  • Primary Driver of CM FTE
  • Internal Audits
  • Dealing with out-of-compliance merchants

24
PCI Breach Document
  • Clarified roles
  • Specific steps for PCI Incident Response Team
  • Specific reporting requirements
  • Bank Card Associations
  • Internal Management
  • Cardholders with data compromised
  • Specified internal follow-up
  • Will be used as model for other types of breaches

25
Online Registration Selection
  • Drivers
  • Certified service provider
  • Reduce merchant accounts associated with events
  • Zoomerang survey to identify users and expected
    volume
  • Reviewed 7 vendors in depth
  • Finalizing contract with Certain Software

26
Online registration mandated use
  • Working on details of process documenting
    procedures
  • Departments will be responsible for costs and use
    of software
  • Cash Management will administer set up (FTE need)

27
CCS Enhancements
  • Focused on making system more robust so that its
    use could be mandated
  • Also included options that would accommodate all
    expected users
  • Cash Management designated as business owner of
    system
  • CIO funded enhancements
  • Note Costs of CCS operations will eventually be
    paid by Merchants

28
Annual Certification Second Time
  • Still ongoing
  • Changed to have each merchant certified
    individually.
  • Easier reporting to bank
  • Less confusion, but more work, for merchants
  • Established multiple categories of merchants
  • Pre-populated questionnaires where we could.

29
Trustkeeper Portal Categories
  • Users of central CCS
  • Alumni and Development Hosted environment
  • Linked to site hosted by certified service
    provider
  • Basic Dial up
  • No Scan required, local POS system
  • Local web site/Application accepting credit cards

30
Lessons
  • Without central monitoring and documented
    procedures you cant maintain certification
  • Opening a merchant account should not be done
    lightly

31
Lessons Continued
  • Need to verify that right people filling in
    self-assessment questionnaire
  • Need to really understand PCI Standard
  • Need to really understand local IT infrastructure
    and Business processes
  • Usually a collaborate effort between business
    owner tech support
  • Internal audit needs to confirm

32
Lessons Continued
  • Due to the number of merchants we couldnt absorb
    the added work
  • Added 1 FTE in Cash Management
  • Added 1 FTE in Risk Management and Audit Services
  • PCI compliance costs allocated to local units
    with merchant accounts (e.g., ATW fees, etc.)

33
Keys for Our Success
  • Communicating and escalating the need to senior
    management
  • Senior Management commitment to our approach
  • No Extension Deadline
  • Deactivate non-compliant accounts
  • Allocation of appropriate resources

34
Success Keys cont.
  • Collaborative approach
  • Needed definition of roles
  • Technology and Finance expertise on team
  • Ability of team to help each other from being
    overwhelmed
  • Regular conference calls for team
  • Answers from our third party assessor
  • Couldnt get them anywhere else

35
If We Had It To Do Over
  • Start Sooner
  • More realistic allocation of resources
  • Either consultants or less demands on in-house
    staff
  • More frequent informal communication with
    internal merchants
  • More open forums for them to get questions
    answered
  • Frequent emails

36
Keys for Remaining Compliant
  • Mandated use of CCS
  • With limited exceptions
  • Mandated use of Online Registration
  • Dedicated position
  • Enhanced data base
  • Harvards Security Web Site
  • Security policies
  • Credit card contract rider

37
Challenges for remaining compliant
  • Non certified service providers
  • One questionnaire one size doesnt fit all
  • Every situation is unique
  • Changing requirements changing environment

38
Long Term Strategy
  • Look for ways to outsource activities
  • Look for alternatives to accepting credit cards
    online
  • Consolidate web hosting sites
Write a Comment
User Comments (0)
About PowerShow.com