Welcome. IT Exchange. November 19, 2013

Transcription

1 Welcome IT Exchange November 19, 2013

2 Agenda IT Services Action Plan Cybersecurity Payment Card Industry Data Security Standards GitLab OAuth 2.0

3 itservices.msu.edu/actionplan

4 Cyber Security Challenges in Higher Education Chief Information Security Officer Communicating Potential Threats Forming Group; Any Interest? End User Education Faculty and Staff Education

5 Payment Card Security Mary Nelson Gene Willacker Sally Burns

6 Mary Nelson Manager, Cashier s Office MSU must validate compliance Required by Bank/Visa/MC Due by March 31, 2014 Each merchant/unit/activity must complete Self-Assessment Questionnaire (SAQ) 5 versions PCI Office will help identify which SAQ is appropriate

7 Mary Nelson Manager, Cashier s Office Survey issued to gather information Survey data will indicate how card data is stored, processed, and transmitted Survey responses due December 4, 2013 SAQ validation process will be annual event going forward

8 Gene Willacker University PCI Compliance Officer PCI DSS v3.0 Payment Card Industry Data Security Standard PCI Scope of Compliance

9 PCI DSS 3.0 Effective January 1, is the v2 to v3 transition year Goals Focus on security, compliance will follow PCI compliance as business as usual Increase education Influencers CHD still a target; poor implementation, maintenance; malware; weak passwords; lack of awareness

10 PCI DSS 3.0 What will it do? Focus on higher risk areas Clarify many requirements Add flexibility Improve assessments Evolve with best practices, risks and threats

11 What is in scope for PCI compliance?

12

13 What is in scope for PCI DSS? All system components in or connected to the cardholder data environment (CDE) CDE People, processes, and technology that store, process, or transmit cardholder data Connected to includes Connected-to connected-to systems What about CASHNet scope? Today, data entry workstations

14 Changes in Scope Definition Web re-direction servers added Visa and MasterCard concern since 2010 May impact the security of the CDE Guidance in the E-Commerce SIG report Requirement in PCI DSS v3.0 CASHNet checkout stores now in scope!

15 Likely additional requirements for MSU CASHNet Servers Firewalls Hardened server configurations External vulnerability scanning Internal vulnerability scanning Patching critical updates within 30 days Security training for developers and sysadmins Code reviews Web application scanning Penetration tests

16 Sally Burns MS E-Commerce Team, University Systems Support, IT Services

17 CASHNet is the ONLY pre-approved ecommerce solution that MSU Units may use IT Services - University Systems - Business System s - ecommerce Team Goal is to help you find the simplest path to PCI compliance while meeting your business requirements.

18 CASHNet- Over $1 Billion in Revenue More than 250 Merchants Active since 2010 CASHNet at MSU Activity Year Transaction Counts Annual Revenue ,256 $ 71,035, ,630 $ 295,160, ,462 $ 359,971, (Ytd) 307,212 $ 303,843, Total 936,560 $ 1,030,010,496.68

19 The simplest path to PCI compliance and meeting your business requirements includes CASHNet ecommerce Team offers one-on-one consulting with technical and business staff. The CASHNet at MSU User Guide, CASHNet at MSU website, and monthly training are always available. Support is through the IT Services - Service Desk at itserve@msu.edu

20 CASHNet Storefronts Configurable to meet many needs. CASHNet emarket Storefront Samples: Conference Storefront Invoice Storefront More Samples:

21 CASHNet - Advanced emarket Storefront configurations can meet sophisticated requirements. Newer Features: Ability to collect data for unpaid items (i.e. attendee info). Variable pricing options (price depends on quantity purchased, menu selected, etc). CASHNet Storefront Features in the Pipeline: Sub-items (multiple account numbers per item). Discount codes. Report (excel) is ed to user on a daily basis. Testing use of MSUPayment with storefront.

22 CASHNet Reporting Item Code 3999-GTKSELF 3999-GTKSELF 3999-GTKSELF 3999-USRGRP 3999-USRGRP Attendee Attendee First Name Attendee Last Name Attendee Phone Number Name of Employer Nancy scooby Teachin the kids.com.net Dean Scooby School District of Eugene, OR.net arter.net Cyntha Smith Teachin the kids.com Paula Hartford org Amanda Cinzone org Amount Two items sold, different data collected for each. Exported into Excel. No real transaction data is shown on this page.

23 Questions? Contact Info Mary Nelson Gene Willacker Sally Burns PCISecurityStandards.org

24 GitLab Beta Code Repository and Oauth 2.0 Troy Murray

25