payment card industry compliance project Michelle Langehennig Chief Information Officer Eric Scott Network Administrator Supervisor

RLD Vision and Mission RLD Vision: To ensure New Mexicans receive quality care and services from qualified professionals. RLD Mission RLD is in the business of ensuring that New Mexicans receive quality care and services from qualified individuals and businesses in 35 different industries, professions and trades. We touch everyday activities of every New Mexican, while ensuring fair and prompt administrative process to help spur economic development. Construction Industries Division: Provide code compliance oversight; issue licenses, permits and citations; perform inspections; administer exams; process complaints; and enforce laws, rules and regulations relating to general construction and manufactured housing standards to industry professionals.

Project Description RLD PCI Compliance is a two part project. Completed in Phase I: RLD separated all traffic through the firewall and segmented the traffic by a demilitarized zone(DMZ) allowing the cardholder traffic to be separate from the network traffic. The Accela application redirect is complete and is no longer storing data on the RLD network. The Accela and MLO data is now separated in the current data storage environment. Installed Cisco Umbrella to provide a view of DNS traffic. To Be Completed in Phase II: Move payment providers from PayPal to Wells Fargo. Saving RLD over $150,000 in fees. Replace core equipment and host to eliminate aging equipment, obtain more data storage and allow RLD to remain PCI compliant.

Accomplishments Achieved full PCI compliance for RLD and associated Permitting and Licensing application to increase the security of the card-holder data environment (CDE). Separated all Card holder data and regular network traffic making RLD a more secure environment. Separated applications taking credit cards from the rest of the network creating a compliant environment to take credit cards. Provide a view of DNS traffic to protect the network from threats. Replaced out dated firewalls to create a hardened and safer environment for the public and the RLD network.

Objectives Move payment providers from PayPal to Wells Fargo to eliminate over $150,000 of fees imposed by financial service provider. Maintain PCI compliance through the life of the Permitting and Licensing programs and for as long as the PCI DSS compliance specification is relevant. Eliminate aging equipment and obtain more data storage allowing RLD to remain PCI compliant.

Deliverables PCI DSS 3.2 compliant payment portal that takes credit card payments from existing RLD applications, customizable and configurable by RLD IT staff. Customized code within existing RLD applications that point to the new payment portal. Policies and Procedures appropriate to the new SAQ-A environment. DNS protection software Core hardware to replace the current infrastructure

Project Budget Item Cost Estimate Phase 1 Hardware $32,100 Phase 1 Software $8,900 Phase 1 Implementation $26,000 Phase 2 Hardware $267,400 *Total $334,400 *IV&V not currently budgeted, as waiver was granted by DoIT on 7/26/2018

Conclusion RLD is requesting certification of $267,400 for the Planning / Implementation Phase to complete phase 2 of the PCI Compliance Project.