Treasury Institute for Higher Education

1

PCI Internal Controls and Auditing Requirements

PCI DSS Workshop, April 24, 2017

Introduction

2

About University of Alaska

America’s Arctic university – land sea and

space grant system. Geographically

distributed across three major campuses –

in Anchorage, Fairbanks and Juneau with

17 satellite campuses and 28 facilities. As

of 2015, total enrollment is 32,000.

.

Speakers

Shiva Hullavarad

Manager of Compliance,

Information & Record Systems

University of Alaska System

P: 907-450-8074

Email:

sshullavarad@alaska.edu

Will Finley

Information Systems Auditor, University of Alaska System

P: 907-450-8092

Email: wtfinley@alaska.edu

Arctic Circle 65th Parallel

Agenda

4

Introduction

PCI Governance /Advisory Team

What’s happening on campuses?

Risks of non-compliance

PCI DSS 3.2

PCI Lifecycle

Role of Internal audit

Tools for auditing PCI DSS

PCI Maturity model

Q & A

University of Alaska PCI

5

UA formed e-commerce committee to centralize and prioritize payment system

Recommended by acquirer bank to be complaint with PCI –DSS.

E-commerce committee transitioned to PCI Advisory team and chartered by VP Finance to develop PCI policy

Hired QSA to advice and conduct vulnerability scans

PCI Advisory team developed the PCI Administrative policy, requiring SAQ to be completed for each MID by Oct 31 every year

PCI Advisory team meets every month to review scan status, update and prioritize all PCI tasks

PCI Governance/Advisory Team

6

• Deficiency Reports• SAQ’s• Scope reduction efforts

PCI DSS Payment Card Industry - Data Security Standard

7

7

Standard that is applied to: Merchants

Service Providers (Third Third-party vendor, gateways)

Systems (Hardware, software)

That: Stores cardholder data

Transmits cardholder data

Processes cardholder data

Applies to: Electronic Transactions

Paper Transactions

PCI DSS – Applies to every business

8

8

All merchants are subject to the standard and to card association rules

No exemption provided to anyone

Immunity does not apply because

Requirement is contractual - not regulatory or statutory

Card associations can be selective who they provide services to

Merchants accept services on a voluntary basis

Merchants agree to abide by association rules when they execute e-merchant bank agreement

Merchant banks are prohibited by association rules from indemnifying a merchant from not being compliant with the standard

Association Rules require merchant banks to monitor merchants to ensure their compliance

Failure of a merchant bank to require compliance jeopardizes the merchant bank bank’s right to continue to be a merchant banks

Any fines levied are against the merchant bank, which in turns passes the fines onto the merchant

Campuses and Ah! Compliance

9

Institutes of higher education are required to maintain PCI compliance

At disadvantage compared to other industries like banking, services and retail

Have varied types of businesses on campus accepting credit cards for tuition, student fees, campus cards, events, dining, housing, athletics, parking, vending machines, online giving

Very difficult to have one office with knowledge of all the above – (mostly one person department)

Business challenges

10

• Many departments want to accept payments by credit cards, but their needs, resources and business and system maturity differ

• Absence of PCI Governance Team

• E-commerce is complex and is not easy deciding who is ‘in charge’ of e-commerce –

• Acquirer banks and credit card companies require the institution is compliant to the most current standard and non-compliance results in penalties and jeopardize reputation

• Centralized policies, education, management support and communication

The PCI compliance - 12 security requirements

11

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

3. Protect stored data.

4. Encrypt transmission of cardholder data and sensitive information across public networks.

Maintain a Vulnerability Management Program

5. Use and regularly update antivirus software.

6. Develop and maintain secure systems and applications

The PCI compliance - 12 security requirements

12

Implement Strong Access Control Measures

7. Restrict access to data by business need-to-know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data.

11. Routinely test security systems and processes.

Maintain an Information Security Policy.

12. Establish high-level security principles and procedures.

PCI DSS 3.2 - Threat is the main driver

13

Changing payment and threat environment

Breach reports and compromise trends

Feedback from industry6

Control

Objectives

6Control

Objectives

12 Core

Requirements290+ Audit

Procedures

Key changes Multi factor authentication for admins (8.3.1) 5 new sub requirements for service providers (3,10,11,12) 2 new appendices

SSL/TLS migration deadline Designated entities supplemental validation

Threat – Detect, Response and Recovery

14Source: Cisco Threat Report

SAQ - PCI DSS Version 3.2

15

Face-to-Face & Mail/Telephone Only eCommerce Only

B POS analog not connected to IP * A Card-not-present fully outsourced *

B-IP POS connected to IP * # A-EP Outsourced, but website redirectcan impact security of payment * #

C-VT Virtual Terminal IP, dedicated or segmented, and keyed only * #

C POS Software connected to IP, dedicated or segmented* #

P2PE-HW

POS hardware managed w/ Point to Point Encryption *

D Cardholder data is stored # D Cardholder data is either processed, transmitted, or stored #

Combination of Face-to-Face and eCommerce

D All merchants not included entirely in any one of the above, or where cardholder data is stored (Systems are connected / Not segmented) #

* Indicates cardholder data is not stored; # Indicates vulnerability scanning required.-

Levels of Merchants

16

All merchants must perform external network scanning to achieve compliance.

Level Transactions

per Year

Types of Targets

1 More than 6 million

Anyone with breach

Merchants, Merchant Agents,

Processors, Direct Connects

2 1 – 6 million Merchants, Merchant Agents,

Processors

3 20K – 1million eCommerce Merchants

4 All other Merchants Merchants

Difference between Compliance & Validation

17

17

Compliance – Means adherence to the standard

Applies to every merchant regardless of volume

Technical and business practices

Validation – Verification that merchant (including its services providers) is compliant with the standard

Applies based on Level assigned to merchant & transaction volume

Two types of Validation

Self-Assessment

Certified by a Qualified Security Assessor (QSA)

Attestation – Letter to card issuer (bank) signed by both merchant and acquirer bank attesting that validation has been performed

Validation - 2 steps

18

Annual Assessment Questionnaire Required of all merchants – regardless of level

Applies to both technical and business

Security Vulnerability Scan - Quarterly Required for External facing IP addresses

Web applications

POS Software and databases on networks

Applies even if there is a re-direction link to third third-party

Must be performed by Approved Scanning Vendor (ASV)

Validation based on Level assigned to merchant, based on transaction volume

Validation requirements – Merchant level

19

Level 1-Visa/MasterCard-- Annual onsite review by merchant's internal auditor or a Qualified Security Assessor (QSA) or Internal Audit if signed by Officer of the company, and a quarterly network security scan with an Approved Scanning Vendor (ASV).

Level 2-- Completion of PCI DSS Self Assessment Questionnaireannually, and quarterly network security scan with an approved ASV.

Level 3-- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV.

Level 4- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV.

PCI DSS separates - Vulnerability and Threat

20

VulnerabilityAny flaw in the design, implementation or administration of a system that provides a mechanism for a threat to exploit the weakness of a system or process

They are weaknesses in networked environments, web applications and physical premises

ThreatAny person, circumstance or event that has the potential to cause damage to an organizational asset or business function

21

pursues its objectives repeatedly over an

extended period of time

adapts to defenders’ efforts to resist it

targetetted approach

is determined to maintain the level of interaction

needed to execute its objectives

Advanced Persistent Threat

PCI Lifecycle

22

Business unit IT Security Compliance Legal Risk Services

Source: FoundStone

PCI lifecycle - Discussion

23

1. Policy – authoritative source by which processes/actions are measured

2. Inventory – an accounting conducted by the auditee to validate fiduciary responsibilities are fulfilled

3. Prioritize – a determination of whether the auditee has evaluated assets and risks while “getting the job done”

PCI lifecycle – Continued…

24

4. Vulnerabilities – the weak link in the chain. Is a process in place to find vulnerabilities? Can the auditor find them?

5. Threats – what threats are known? Is a process in place to watch for new threats? Does the auditee have a process to eliminate, mitigate, or respond to threats?

6. Risk – the optimization of risk. Is risk reduced to acceptable levels? Risk to people, revenue, assets, and reputation? Evaluate decision to accept, avoid, reduce, or transfer the risk.

25

7. Remediation – when inadequacies are found, the auditor will want to see a plan to remedy the situation. The auditor will follow-up to validate that the remediation plan was implemented and works.

8. Measure – accounting is specific and measurable… auditors want to see the quantitative and qualitative results. Bean counters…

9. Compliance – a determination of how closely processes are aligning with authoritative guidance

PCI lifecycle – Continued…

26

Assess Risk: Assets X Vulnerability X Threats The product of:

Assets

Vulnerabilities

Threats

Based upon the criticality of AVT

Focus your resources on the true risk

See handout – spreadsheet #1

27

Tools for Auditing PCI DSS in Your Institution

The Audit Process

Role of Internal Audit

28

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. ”

The Institute of Internal Auditors

Audit – Effective tool

29

Focus on risk of occurrences that could prevent the University from achieving its goals

Risk factors:

Impact

Probability

Controls

There are many types of risk – non-compliance, fraud, improper reporting, ineffective or inefficient use of resources, reputational/credibility loss, etc.

Focus on areas with high risk and high probability that controls are not in place or are weak

Audit – Internal Controls

30

Internal controls are processes designed to provide reasonable assurance regarding the achievement of an organization’s objects related to:

Effectiveness and efficiency of operations

Reliability of financial reporting

Compliance with applicable laws, regulations and policies

31

Authoritative Guidance

Federal statutes and regulations governing financial and personally identifiable data (GLBA, HIPAA, FERPA, FISMA)

State statutes and regulations governing financial and personally identifiable data

PCI DSS

The PCI Standards available from the PCI SSC Document Library: https://www.pcisecuritystandards.org/document_library

Contract with acquiring bank

Your institution’s own PCI regulations, policies, and procedures

Overview of Process

32

Audit Plan set by Audit Committee or governing structure

Planning

Conduct research on topic

Set scope, usually set by cardholder data environment

Develop audit program, internal control questionnaire (ICQ), preliminary request for information

Conducting fieldwork

Internal Control Questionnaires (Refer to hand outs)

Test work

Reporting

Planning

33

Planning and Risk Assessment Guide

Solicitation for Concerns

Preliminary Survey

Data Analysis and Sampling Methodology

Risk and Fraud Risk Assessment

Prior Audits

Authoritative Guidance

Background Information

Auditor Independence Statement

Scope and Objectives Memo

Entrance Letter

Preliminary Request for Information

Entrance Meeting

Key Contacts

Planning Meetings

Field Work

34

Use program to evaluate information provided from prior steps (Prelim Info Request, ICQ’s, meetings, etc)

Assessment of environment

Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)

Documentation of compensating controls

Attestation of Compliance and Action Plan for Non-Compliant Requirements (if applicable)

Approved Scanning Vendor (ASV) scan reports

Vendor SSAE-16 (Statement of Standards for Attestation Engagement) reports

Reporting

35

Deliverables: Report, memo

Provide findings and recommendations

Five elements of audit findings: Condition, criteria, cause, consequence (effect), corrective action (recommendation)

Quality of Internal Audit Report

Objective – Comments and opinions should be objective and unbiased

Clarity – Simple and straightforward

Accuracy – Comments correct and on-point

Brevity – Concise

Timeliness – Issued promptly after fieldwork

Reporting – continued…

36

What was found

Why it happened

What is required

What effect it has

Recommendation for improvement

Response – who, when and how

This can be combined with the; Gap Assessment Vulnerability scan reports Penetration test reports

Granularity

37

Determined by:

Risk-based auditing

Compliance-based auditing

Time

Scope

Sample Documents

• Program

• Preliminary Info Request

• ICQs

• Other helpful docs at:

– https://www.pcisecuritystandards.org

39

PCI Maturity ModelLevel Category Description

0 Not performed Complete lack of any recognizable processes. The institution has not even recognized that there is an issue to be addressed.

1 Performed Informally:

There is evidence that the institution has recognized that the issues exist and need to be addressed. There are no standardized processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganized.

2 Planned and Tracked

Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely.

3 Well Defined and Communicated

Procedures have been standardized and documented, and communicated through training. It is mandated that these processes should be followed; however, it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.

4 Managed and Measurable

Management monitors and measures compliance with procedures and takes action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.

5 Continuously Improved

Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity as recommended by the most current PCI DSS , providing tools to improve quality and effectiveness, making the institution quick to adapt.

Conclusions

• PCI compliance is not a one time thing – it’s constantly changing

• Dissemination and training are very critical

• Assess your environment

• Do not hesitate to file deficiency reports and work on them

• Internal audit is a important tool to enforce compliance

40