PCI Compliance Harvard University

1
PCI ComplianceHarvard University

• Presented By
• Cheryl Margey
• Gene Madden

2
Agenda

• Harvard Credit Card Environment
• First Steps
• Approach
• Initial Certification
• Current Project
• Lessons Learned
• Next Steps

3
Harvard Credit Card Environment

• 120 Credit Card Merchants across University
• Centralized Treasury service
• Decentralized IT across University
• Culture ETOB (every tub on its own bottom)
• Schools/units make decision on acceptance of
  credit card payments
• Did their own web development
• Pay all credit card fees
• Post activity to general ledger

4
First Steps

• Aug. 31, 2004, received notification of PCI
  requirement to enroll with 3rd party assessor
• Categorized as tier 2, compliance deadline
  6/30/05
• Communicated compliance mandate to senior
  management and CFO
• Decided central approach would be needed to
  ensure Harvards overall compliance
• Brought Internal Audit and University Information
  Services (UIS) into the process
• Interviewed 3 certified assessors selected
  Ambiron Trustwave (ATW)
• Presented PCI compliance mandate and potential
  risk to
• Financial Deans Managers
• University Technology Advisory Group Central
  Administration IT
• Merchants
• Explored use of a previously developed central
  credit card service.
• Initially funded by CIO to get it started

5
Approach

• Senior Management Commitment
• CFO message to all merchants
• University was not willing to assume the
  financial or reputational risk associated with a
  potential breach

6
Approach (cont)

• All merchants were required to achieve compliance
  by June 30th, 2005
• Deactivation of any merchant not in compliance
  by that date
• Mandatory use of central credit card server for
  all new development

7
Initial Certification

• Challenges
• Insufficient merchant data
• IT Finance needed to work together
• Inconsistent information from acquirer on what
  level we were or who needed to be certified
• Inconsistent Interpretation of standards
• Evolving process no subject matter expertise

• First Steps
• Launched a survey to collect data for
  evaluation
• Primary business and technical contact
• Method of credit card processing
• Where site was hosted
• If they stored cc data and where
• IP address and/or URL

8
Initial Certification (cont)

• ATW Trustkeeper Portal
• Centrally grouped merchants enrolled in portal
• Required each merchant to complete questionnaire
  schedule a scan to identify vulnerabilities and
  maximize time to resolve them
• Monitored results in portal worked with non
  compliant merchants
• Developed categories in portal (scan or no scan)
• Reviewed verified IP addresses to be scanned
• Defined Merchant versus central responsibilities
  on Questionnaire

• Communication
• Developed a credit card compliance website
• Communicated issues policies via email
• Posted all communication to website
• Posted 4 pre-populated questionnaire to website
• Held Weekly conference calls with ATW, RMAS UIS
• Held large group forums
• Met with many merchants individually
• Provided reports updates to Financial Dean

9
Merchant Response

• Underwhelming
• Contacted Financial deans
• Letter from CFO to Financial Deans
• Message - no extensions
• Sudden motivation in May

10
Final Results

• 70 groups 120 merchants
• 2 voluntarily deactivated
• 2 failed to meet deadline
• Primarily due to late start
• 1 Temporarily suspended (1 week)
• 1 Deactivated ( came back several months later)
• 66 groups certified compliant

11
Immediate Aftermath

• Worked with late starters to reach compliance
• First Quarterly scan to fail (7/2)
• Uneasy feeling about several merchants
• Identified several departments for audits

12
Longer Consequences

• Some departments treated it as a single event
• No monitoring infrastructure
• Personnel changes

13
Next Steps.

• Develop guidelines of who qualifies to be a
  merchant
• Develop standardized IT infrastructure for
  accepting cc
• Perform audits on merchants who achieved
  compliance
• Develop monitoring procedure both centrally at
  merchant level
• Analyze impact of moving all web based merchants
  to the CCS, when how
• Keep project escalated seek approval to hire
  project manager
• Develop task plan executive working committee

14
2006 PCI Initiative

• Hire a Fulltime 6 month position- funded
  centrally
• Establish a Executive Working Committee
• Treasury Management
• Risk Management and Audit Services
• University Technology Security Officer
• University Information Systems

15
Objective

• Standardize methods of accepting Credit Cards at
  the University
• Mandate use of central Credit Card Service (CCS)
• Mandate online registration vendor
• Develop and document Policies and Procedures
• Mandatory Deactivation for non-compliance
• Defined roles responsibilities of offices in
  working group and sign-off from each office

16
Categories of Work

• Ensuring Infrastructure
• Where we had processes or systems already but
  improvements were needed
• Infrastructure needed
• Where we recognized a need but had nothing in
  place
• Policies and Procedures
• More formal documentation of processes

17
Tasks

• PCI procedures and processes
• Standardized central breach responsibilities and
  processes
• Online Registration
• Alternatives for web payments (e.g. PayPal)
• Enhancements to CCS

18
Documents Created

• Documents for Departments
• Merchant Handbook
• Exceptions to using central CCS
• Web hosting Requirements
• Documents for Cash Management
• New Merchant Setup
• PCI Monitoring
• PCI Breach

19
Merchant Handbook
All responsibilities of Merchant

• Request
• Approval
• Certification
• Ongoing monitoring
• Breaches
• Reference policies

• Costs
• Reference web hosting requirements
• Posting and reconciliations
• Audit requirements

20
Exceptions to using central CCS

• Exceptions for off the shelf software
• No exceptions for locally developed software
• Requires CM CIO Approval

21
Web Hosting Requirements

• CCS or Service Provider Users
• Require scan of local site and audits every 5 yrs
• Local Acceptance of Credit Cards
• Pre approval of web hosting environment and
  audits every 3 yrs
• Local Storage of Credit Cards
• Pre approval of hosting environment and annual
  audits at department expense

22
New Merchant Setup

• Approval of Fin Dean Cash Management
• Criteria for creating new accounts
• Compliance built in to start up process
• Pre-review of PCI standards and questionnaire
• Require certification certificate prior to
  transacting

23
PCI Monitoring

• Annual Certification
• Monitoring Quarterly Scans
• Primary Driver of CM FTE
• Internal Audits
• Dealing with out-of-compliance merchants

24
PCI Breach Document

• Clarified roles
• Specific steps for PCI Incident Response Team
• Specific reporting requirements
• Bank Card Associations
• Internal Management
• Cardholders with data compromised
• Specified internal follow-up
• Will be used as model for other types of breaches

25
Online Registration Selection

• Drivers
• Certified service provider
• Reduce merchant accounts associated with events
• Zoomerang survey to identify users and expected
  volume
• Reviewed 7 vendors in depth
• Finalizing contract with Certain Software

26
Online registration mandated use

• Working on details of process documenting
  procedures
• Departments will be responsible for costs and use
  of software
• Cash Management will administer set up (FTE need)

27
CCS Enhancements

• Focused on making system more robust so that its
  use could be mandated
• Also included options that would accommodate all
  expected users
• Cash Management designated as business owner of
  system
• CIO funded enhancements
• Note Costs of CCS operations will eventually be
  paid by Merchants

28
Annual Certification Second Time

• Still ongoing
• Changed to have each merchant certified
  individually.
• Easier reporting to bank
• Less confusion, but more work, for merchants
• Established multiple categories of merchants
• Pre-populated questionnaires where we could.

29
Trustkeeper Portal Categories

• Users of central CCS
• Alumni and Development Hosted environment
• Linked to site hosted by certified service
  provider
• Basic Dial up
• No Scan required, local POS system
• Local web site/Application accepting credit cards

30
Lessons

• Without central monitoring and documented
  procedures you cant maintain certification
• Opening a merchant account should not be done
  lightly

31
Lessons Continued

• Need to verify that right people filling in
  self-assessment questionnaire
• Need to really understand PCI Standard
• Need to really understand local IT infrastructure
  and Business processes
• Usually a collaborate effort between business
  owner tech support
• Internal audit needs to confirm

32
Lessons Continued

• Due to the number of merchants we couldnt absorb
  the added work
• Added 1 FTE in Cash Management
• Added 1 FTE in Risk Management and Audit Services
• PCI compliance costs allocated to local units
  with merchant accounts (e.g., ATW fees, etc.)

33
Keys for Our Success

• Communicating and escalating the need to senior
  management
• Senior Management commitment to our approach
• No Extension Deadline
• Deactivate non-compliant accounts
• Allocation of appropriate resources

34
Success Keys cont.

• Collaborative approach
• Needed definition of roles
• Technology and Finance expertise on team
• Ability of team to help each other from being
  overwhelmed
• Regular conference calls for team
• Answers from our third party assessor
• Couldnt get them anywhere else

35
If We Had It To Do Over

• Start Sooner
• More realistic allocation of resources
• Either consultants or less demands on in-house
  staff
• More frequent informal communication with
  internal merchants
• More open forums for them to get questions
  answered
• Frequent emails

36
Keys for Remaining Compliant

• Mandated use of CCS
• With limited exceptions
• Mandated use of Online Registration
• Dedicated position
• Enhanced data base
• Harvards Security Web Site
• Security policies
• Credit card contract rider

37
Challenges for remaining compliant

• Non certified service providers
• One questionnaire one size doesnt fit all
• Every situation is unique
• Changing requirements changing environment

38
Long Term Strategy

• Look for ways to outsource activities
• Look for alternatives to accepting credit cards
  online
• Consolidate web hosting sites