Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCI Compliance in the University Setting Copyright Sandie Rosko, John Chapman, Jay Maylor 2007. This work is the intellectual property of the author. Permission.

Published byMaggie Dower Modified over 10 years ago

Similar presentations

Presentation on theme: "PCI Compliance in the University Setting Copyright Sandie Rosko, John Chapman, Jay Maylor 2007. This work is the intellectual property of the author. Permission."— Presentation transcript:

1 PCI Compliance in the University Setting Copyright Sandie Rosko, John Chapman, Jay Maylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 What does PCI DSS entail? Build and maintain a secure network Protect cardholder data Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy

3 Fully understand/learn the PCI/DSS requirements Can’t learn everything in a one hour session Where can you get information??? –Treasury Institute for Higher Education –merchant provider –card issuers –PCI Security Standards Council Webinars –PCI Security Standards Website https://www.pcisecuritystandards.org/

4 WSU Card Configuration Prior to PCI Early adopters Freely available to departments –Applications developed by dept staff, Univ Pub. –E-commerce applications took-off Alumni, Foundation, Registrar, Conferences, KWSU, Vet School, Student Visitation, CANR Publications Added additional services –Dept queries and downloads by merchant –Miscellaneous charges – call center

5 WSU Card Environment (pre-PCI DSS)

6 The Shock of PCI DSS Discussed with consultant Flat network – no segmentation Entire campus subject to PCI DSS Quarterly network scans of up to 15,000 computers

7 Three Pronged Approach to Compliance PCI DSS Compliant Zone for Central Applications Central Payment Site for Departmental Applications Policy to Require Compliance

8 PCI DSS Compliant Zone

9 WSU Central Payment Card Site The problem – Popular centrally administered credit card payment API would be difficult to make PCI compliant The Solution – Provide a web based solution for departments that removes departmental servers and processing from the PCI environment

10 Central Payment Site Processing

11

12

13

14 WSU Central Payment Card Site Advantages & Issues Advantages –Simplifies PCI compliance by making PCI footprint smaller –SOA based solution encourages department use –Encapsulation hides implementation details making changes in the back end processing simpler Issues –One size does not fit all –Centralized system = centralized problems –Can’t support centrally the multitude of technical environments and levels of expertise in the departments

15 PCI Policy at Washington State University Centralized processing simplifies our policy –Centralized web payments processing –University wide POS system Two options currently available –Use WSU centrally provided solutions –Outsource to PCI Compliant third-party provider Other options being considered –Host PCI compliant vendor package in centrally controlled PCI environment –Allow departments to setup their own PCI compliant environment

16 Central processing at University of Washington ….or lack there of. –No central solutions at the University of Washington –None planned –Too great a variety of departmental needs to try and fit under one system and/or vendor

17 PCI Policy at University of Washington Required compliance to PCI DSS of all University affiliated merchants –Requires yearly submission of PCI surveys –Requires all merchant contract agreements to be obtained through central office –Requires all internet-facing systems to meet OWASP (Open Web Application Security Project) standards –Includes enforcement provisions –Includes clear roles and responsibilities

18 Outsourcing/vendor supplied packages Harbor Payments –SFS PayPal –PayFlow Pro –PayFlow Link –PayPal Payments Standard VeriSign Blackboard –HFS Convio –Development Paciolan –UW Ticketing ViaKlix ViaWarp Virtual Merchant Global Retail Advantage –KUOW

19 PCI Myths and Urban Legends Implementing PCI will compromise our academic mission We don’t store credit card numbers therefore we are PCI compliant Our vendor application is PCI compliant therefore we are PCI compliant We outsource our credit card payments therefore we’re PCI compliant

20 Summary of PCI DSS at WSU Single PCI DSS Compliant Zone Central Payment Site Policy Requires PCI DSS Compliance PCI DSS Compliance is a Journey Not a Destination

21 Washington State University John Chapman john_chapman@wsu.edu Jay Maylor jay@wsu.edu University of Washington Sandie Rosko sandier@u.washington.edu Andrew Monusko amonusko@u.washington.edu Questions? Contact Info

Download ppt "PCI Compliance in the University Setting Copyright Sandie Rosko, John Chapman, Jay Maylor 2007. This work is the intellectual property of the author. Permission."

Similar presentations

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,

Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.

Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.
© Copyright Computer Lab Solutions 2006. All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.

© Copyright Computer Lab Solutions All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.
The Academic Computing Assessment Data Repository: A New (Free) Tool for Program Assessment Heather Stewart, Director, Institute for Technology Development,

The Academic Computing Assessment Data Repository: A New (Free) Tool for Program Assessment Heather Stewart, Director, Institute for Technology Development,
This refresher course will:

This refresher course will:
Disaster Recovery Planning Because It’s Time! Copyright Columbia University and Bentley College, 2003. This work is the intellectual property of the author.

Disaster Recovery Planning Because It’s Time! Copyright Columbia University and Bentley College, This work is the intellectual property of the author.
Using Value Disciplines in Organizational Change Peter D. Nordgren University of Wisconsin-Superior Educause Midwest Regional Conference March 13 th, 2007.

Using Value Disciplines in Organizational Change Peter D. Nordgren University of Wisconsin-Superior Educause Midwest Regional Conference March 13 th, 2007.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
Copyright Jill M. Forrester 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial,

Copyright Jill M. Forrester This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial,
Office of the Vice President Copyright Notice Copyright Greg Hedrick, Matthew Wirges 2004. This work is the intellectual property of the author. Permission.

Office of the Vice President Copyright Notice Copyright Greg Hedrick, Matthew Wirges This work is the intellectual property of the author. Permission.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College Copyright Penn State University-2008. This work is the intellectual.

Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College "Copyright Penn State University This work is the intellectual.
Cyberspace Education: Challenges and Opportunities Presented by: Bob Diveley Manager of Administrative Systems Columbus State University Copyright Bob.

"Cyberspace Education: Challenges and Opportunities" Presented by: Bob Diveley Manager of Administrative Systems Columbus State University Copyright Bob.

Similar presentations

Ads by Google