PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
Transcript of PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 1/32
PCI – A new approachHow to build compliance without
rebuilding your network
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the Cityof "ew #ork
$oel %osenblatt & 'irector Computer "etwork securityColumbia ni!ersity
*ducause +,C 2015 & -ay 5 2015
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 2/32
,ayment Card .ndustry 'ata +ecurity +tandard◦ / set of standards created by the credit card industry
to help ensure the safe handling of sensiti!einformation
,C. '++ is not a law or go!ernment standard◦ .t was created by isa and -asterCard◦ .t is a framework for de!eloping a robust account
data security process
◦ .t will cost you if you are compromised
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the Cityof "ew #ork
PCI-DSS – What is it and why do
you care?
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 3/32
3rom the ,C. +ecurity +tandards Council◦ .f you are not compliant it could be disastrous
Compromised data negati!ely a6ects consumers merchants and7nancial institutions
◦ $ust one incident can se!erely damage your reputation and yourability to conduct business e6ecti!ely far into the future
◦ /ccount data breaches can lead to catastrophic loss of salesrelationships and standing in your community and depressed shareprice if yours is a public company
◦ ,ossible negati!e conse8uences also include9awsuits
.nsurance claimsCancelled accounts,ayment card issuer 7nes:o!ernment 7nes
https ;;www<pcisecuritystandards<org;security=standards;why=comply<php
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the Cityof "ew #ork
Risk of not doing PCIcomp iance
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 4/32
9arge research uni!ersity'ecentrali>ed management structure?!er 150 000 network nodes?!er @0 000 -/C addresses acti!e on a!erage
'ecentrali>ed computer support"o sniAng traAc or scanning machinesallowedB3ree 9o!e ., address assignments a!ailable
"o uni!ersity wide corporate like 7rewallsDetween 50 000 and E0 000 acti!e emailaccounts
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the Cityof "ew #ork
Co um!ia "n#ironment
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 5/32
+e!enteen schools◦ 3our undergraduate◦ Thirteen graduate3our aAliate schools including a large-edical center/partment"et & H+ .nternet sold throughhousing
Twenty 7!e libraries with E<5 million !olumes Twenty thousand employees3orty thousand students
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the Cityof "ew #ork
Co um!ia "n#ironmentCo um!ia $ni#ersity wasfounded in %&'( as )ing*sCo ege !y roya charter of )ing+eorge II of "ng and, It is theo dest institution of higher
earning in the state of ew .ork and the /fth o dest in the
$nited States,
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 6/32
"etwork organi>ed geographically & networksegmentation is often done by building orarea not by use◦ *Fample & +.,/ (+chool of .nternational and ,ublic
/6airs) is in the .nternational /6airs Duilding butso is the *conomics department and the ,olitical+cience department & each of these has adi6erent .T organi>ation
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
Co um!ia "n#ironment
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 7/32
Central .T (C .T) organi>ation only supportscentral .T functions (network email main webser!ers payroll student ser!ices 7nancialser!ices etc<)'epartments schools aAliates get to supportthemsel!es (or can buy support from C .T)
This creates an une!en support model & richdepartments (9aw Dusiness) ha!e goodsupport poor departments (/nthropology,olitical +cience) & not so good<
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
Co um!ia "n#ironment
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 8/32
-ade up of four campuses in upper-anhattan◦ -orningside -edical -anhattan!ille 9amont"etwork is laid out geographically◦ "o separate administrati!e and student network
Duildings can be miFed use
9ittle use of "/T◦ 5 ;1G 2 ;20 1 ;21 1 ;22 ;2
Co um!ia etwork
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 9/32
Appro0imate y (11 2erchant Accounts• IJ +trictly ,oint of +ale• GJ +trictly -?T?• 2@J +trictly * commerce• 2 J +ome Combination of the abo!e3wo $ni#ersity Wide Appro#ed Processors• Two others for speci c purposes only 3wo $ni#ersity Wide Appro#ed Payment+ateways• Two others for speci c purposes only
umerous 3hird Party Ser#ice Pro#iders
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
Co um!ia4s 2erchantprocessing scope
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 10/32
Se ected 3reasuryStatistics
200 bank accounts◦ K5 .nternational
I00 00 merchantaccounts
10 remote depositcapture (%'C)machinesI 000 wire transfers◦ 2 500 international
500- K00-
150- 200-◦ 00LM transactions
500- G00-◦ 55 000M transactions
500-◦ 100- international
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 11/32
Some current Credit Card stats
/lmost 1000 people trained to process CC/pproFimately 200 ,?+ terminalsNe submit a little o!er 100 +/Os signed by
almost 0 +enior Dusiness ?Acers,ayment :ateways◦ *la!on PI00
irtual -erchant P150◦
:lobal ,ayments P100Cyber+ource P50
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
I00 00 merchant accountsQ 150- 200-Q 00LM transactions
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 12/32
.n 200K◦ ,olicy created & no CC numbers on any Columbia networks
ser!ers or machines.n 2010◦ +omeone was using a Columbia web site to !erify credit card
numbers by putting through <10 charges◦ ,ayment !endor indicated that we would be charged 25;month
for each non compliant -.'50 -.'s F 25 F 12 R 1I5 000;year
◦ Treasury policy on CC created◦ Considered dropping all credit card acceptance
,otential loss of @0- E0-;year
Cost to build a ,C. compliant network at Columbia◦ / lot
Dri#ing forces
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 13/32
Cha enge
5ow do you comp y with PCIon a non comp iant network?
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 14/32
,C. compliance is a Soint proSect between the Treasurydepartment -edical center and computer security3rom Treasury◦ /ssociate Treasurer Cash -anagement ?peration (10J)◦ Treasury -anager (100J)
3rom computer security◦ 'irector Computer "etwork security (10J)◦ /ssociate "etwork +ecurity /nalyst (50J)3rom -edical center◦ /ssistant 'irector .nformation +ecurity (10J)
/lmost forty +D?s 7ll out +/Os for the 00 -.'s◦ :uesstimate of 20J of one 3T*
Training of 1000 people who touch CCs◦ :uesstimate of 50J of one 3T*
PCI Committee – how manypeop e does it take to do PCI?
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 15/32
Create ,olicy &◦ .nternet transactions
ni!ersity 'epartments accepting credit cards !ia ecommerce must adhere to the criteria in the C
%*:.+T%/T.?" /"' ,%?T*CT.?" ?3 +#+T*-+,?9.C#< The policy pro!ides that ni!ersity'epartments must not capture store or transmitcardholder data on Columbia ser!ers or networks<
6irst pass – 7utsourcee#erything
Copyright (c) 2015 The Truste esof Columbia ni!ersity in the City
of "ew #ork
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 16/32
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 17/32
Connecting to payment processor s websiteon behalf of a customer puts that machinein scope for ,C. (acting as a ser!icingagent)
,ersonal transactions (. own the credit card)on the ni!ersity network are not in scope
for ,C.
It turns out that this is not goodenough
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 18/32
,C. +cope◦ /ny machine that is used for transactions◦ /ny machine that touches the network used for transactions
+ince we ha!e a large network set up like an .+,!irtually e!ery system at Columbia would ha!e beenin scope for ,C. (P150 000 nodes)◦ %e8uirements for ,C.
*Fternal scans 8uarterly (eFpensi!e)
9og storage for one year (a lot of data)%estricted and monitored access (impossible for studentmachines)
and lots moreU
P an 8 – Reduce PCI scope
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 19/32
Duild a CitriF farm in a (7rewalled) boF◦ /ccess through the 7rewall◦ %3C 1E1K addressing inside◦ /ll traAc inside using "/T;,/T rules,ut DlackDoard ser!ers in same ,C. boF◦ Cash registers that take CC ha!e home runs to
network closet with 7rewall;!pn to ,C. network7rewall & we will be replacing these with ,2,encrypted machines
*Fternal ., (2) scanned by TrustNa!e/ll access to ,C. boF through eFternal .,s
P an 8 – create a PCI Citri0Pro0y network
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 20/32
etwork Diagram
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 21/32
PCI Citri0 screen
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 22/32
-achines must be on the hard wired Columbianetwork"o remote access"o ," access-ust be desktop systems or laptops withwireless network cards remo!ed"o remote login to desktop allowed
Two and V factor authentication◦ /lpha domain user (Nindows systems group)◦ /ccess to CitriF group (Treasury)◦ /ccount on :ateway (Treasury)
etwork restrictions on machinesconnecting to PCI Citri0 ser#er
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 23/32
,ayment gateways will only accept logins fromthe eFternal ., address of our ,C. 7rewall◦ Cybersouce dropped as !endor because they could
not support this feature
%efunds on credit cards can only be made◦ To the card that the original charge was made on◦ .n an amount less than or e8ual to the original charge
pdated ,."s from G characters to o!er G0
characters for Neb ser con7gurations forecommerce accounts that use our ,ayment:ateways as a checkout page
Payment +ateway tuning
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
PCI C i R 9 i t f 27 37
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 24/32
,C. '++ compliance re8uires any computer used to submit -?;T?transactions at Columbia ni!ersity to pass all of the re8uirements of,C. '++◦ https ;;www<pcisecuritystandards<org;security=standards;indeF<php
The following hardware and software settings are re8uired to be in
compliance with ,C. '++< "? *WC*,T.?"+ C/" D* /99?N*'< .f theseconditions cannot be met by the standard desktop used for thisfunction additional hardware that meets these conditions must beac8uired< .f these conditions are not followed the ability to accept creditcards will be disabled<
The following re8uirements must be met in addition to all applicablere8uirements in◦ http ;;www<columbia<edu;acis;security;articles;data; desktopJ20security
J20accessingJ20sensiti!eJ20dataJ20checklistJ20MJ20,?+J20re8uirements<pdf
PCI Comp iance Re9uirement for 27:37
machines connecting to PCI Citri0
ser#er
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 25/32
-achine cannot ha!e /"# wireless de!ices installedand must not be a laptop (unless wireless cardsremo!ed) (i<e< no wireless keyboards or mice nowireless card canXt be plugged into a wireless routeretc<)◦ -achine must be physically inspected 8uarterly to !erify this
-achine must be hard wired to a network Sack ("?TN.%*9*++ & see 1)
ser .' of each person performing -?;T?transactions cannot ha!e pri!ileges higher than +*%
Continued;
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 26/32
sers cannot share .'s & each userperforming -?;T? transactions must usetheir own .'s◦ ,asswords must be changed e!ery E0 days◦ -inimum password length is K◦ ,asswords must be miFed case numbers and
letters◦ ,asswords cannot be reused on a 5 password
cycle◦ ser .' will be locked out after G bad passwords
for at least I0 minutes
Continued;
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 27/32
3irewall with inbound and outbound blocking mustbe installed (i<e< +ymantec) with default deny set<"o port should be open unless absolutely re8uiredby a business application running on the system<
"o non business applications are allowed to run onthe system"o remote access (remote desktop gotomypc etc<)allowed to any system used to access the ,C.gatewayNe will be installing whitelisting software (+a!ant)on these machines as mitigating control for notusing 3.-
Continued;
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 28/32
Nhen a machine connects to the ,C. CitriF boF◦ / "eFpose scan is triggered (8uarterly) and results
are stored for one year◦ /ll "etYow (network log) data (in and out) of the
machine is collected and stored for one year◦ /ll +ymantec output is collected and stored for one
year◦ /ll : 9, (authentication) data in!ol!ing the machine
are stored and kept for one year+cans are read by ,C. security person and anyimperfect scores are resol!ed
<ogging and Scanning
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 29/32
Training◦ .n order to get an .' to access the payment gateway
the user must be registered to take the online ,C.training which needs to be repeated annually
?ne +/O must be 7lled out for each -.'◦ we 7ll out a +/O ' for each -.' using the ,C. CitriF
farm and has a web site<◦ -?;T? only 7ll out an +/O /◦ 'ialup users 7ll out a +/O DNe are using Courseworks to managedocumentation +/Os and communications to+D?s (+enior Dusiness ?Acers)
3raining and SA=s
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 30/32
?nsite Compliance isits◦ Trust but !erifyU Con7rm
"o e!idence of track data C/ 2 C C2 C.' C 2 or,." data is stored after authori>ation/ccess is truly restricted
,rocessors are educated on ,C./ll information within submitted +/Os and attestationsfairly represents their processing en!ironment
sing CourseNorks has made this process moremanageable
.mportance of 'ocumentation◦ 15G mentions in the ,C. '++U
'ocument documented documentation
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
And the !eat goes on ;
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 31/32
.t took almost siF years and a lot of work to fullyimplement our current ,C. solution+ome challenges we are still working on◦ *!ents in open spaces (athletics and registration)
Ne are using cellular ,?+ systems using ,2, encryption◦ ?6 campus medical oAces
Ne will be using ,2, encrypted de!ices◦ Things that we donXt know,C. ! I<1 has clari7ed some of the use ofencryption"o mater how you do ,C. it is a large consumerof resources
Summary
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
of "ew #ork
8/9/2019 PCI, A New Approach: How to Build Compliance without Rebuilding Your Network (264646409)
http://slidepdf.com/reader/full/pci-a-new-approach-how-to-build-compliance-without-rebuilding-your-network 32/32
=uestions
Copyright (c) 2015 The Trusteesof Columbia ni!ersity in the City
$oel %osenblatt SoelZcolumbia<edu