Welcome IT Exchange November 19, 2013
Agenda IT Services Action Plan Cybersecurity Payment Card Industry Data Security Standards GitLab OAuth 2.0
itservices.msu.edu/actionplan
Cyber Security Challenges in Higher Education Chief Information Security Officer Communicating Potential Threats Forming Group; Any Interest? End User Education http://tech.msu.edu/secureit/ Faculty and Staff Education http://eis.msu.edu/sid/
Payment Card Security Mary Nelson Gene Willacker Sally Burns
Mary Nelson Manager, Cashier s Office MSU must validate compliance Required by Bank/Visa/MC Due by March 31, 2014 Each merchant/unit/activity must complete Self-Assessment Questionnaire (SAQ) 5 versions PCI Office will help identify which SAQ is appropriate
Mary Nelson Manager, Cashier s Office Survey issued to gather information Survey data will indicate how card data is stored, processed, and transmitted Survey responses due December 4, 2013 SAQ validation process will be annual event going forward
Gene Willacker University PCI Compliance Officer PCI DSS v3.0 Payment Card Industry Data Security Standard PCI Scope of Compliance
PCI DSS 3.0 Effective January 1, 2014 2014 is the v2 to v3 transition year Goals Focus on security, compliance will follow PCI compliance as business as usual Increase education Influencers CHD still a target; poor implementation, maintenance; malware; weak passwords; lack of awareness
PCI DSS 3.0 What will it do? Focus on higher risk areas Clarify many requirements Add flexibility Improve assessments Evolve with best practices, risks and threats
What is in scope for PCI compliance?
What is in scope for PCI DSS? All system components in or connected to the cardholder data environment (CDE) CDE People, processes, and technology that store, process, or transmit cardholder data Connected to includes Connected-to connected-to systems What about CASHNet scope? Today, data entry workstations
Changes in Scope Definition Web re-direction servers added Visa and MasterCard concern since 2010 May impact the security of the CDE Guidance in the E-Commerce SIG report Requirement in PCI DSS v3.0 CASHNet checkout stores now in scope!
Likely additional requirements for MSU CASHNet Servers Firewalls Hardened server configurations External vulnerability scanning Internal vulnerability scanning Patching critical updates within 30 days Security training for developers and sysadmins Code reviews Web application scanning Penetration tests
Sally Burns MS E-Commerce Team, University Systems Support, IT Services
CASHNet is the ONLY pre-approved ecommerce solution that MSU Units may use IT Services - University Systems - Business System s - ecommerce Team Goal is to help you find the simplest path to PCI compliance while meeting your business requirements.
CASHNet- Over $1 Billion in Revenue More than 250 Merchants Active since 2010 CASHNet at MSU Activity Year Transaction Counts Annual Revenue 2010 22,256 $ 71,035,438.14 2011 269,630 $ 295,160,429.74 2012 337,462 $ 359,971,100.82 2013 (Ytd) 307,212 $ 303,843,527.98 Total 936,560 $ 1,030,010,496.68
The simplest path to PCI compliance and meeting your business requirements includes CASHNet ecommerce Team offers one-on-one consulting with technical and business staff. The CASHNet at MSU User Guide, CASHNet at MSU website, and monthly training are always available. Support is through the IT Services - Service Desk at itserve@msu.edu
CASHNet Storefronts Configurable to meet many needs. CASHNet emarket Storefront Samples: Conference Storefront https://commerce.cashnet.com/msutest_0100 Invoice Storefront https://commerce.cashnet.com/msutest_0110 More Samples: https://paymentsupport.ais.msu.edu/cashnetatmsu_stores.asp
CASHNet - Advanced emarket Storefront configurations can meet sophisticated requirements. Newer Features: Ability to collect data for unpaid items (i.e. attendee info). Variable pricing options (price depends on quantity purchased, menu selected, etc). CASHNet Storefront Features in the Pipeline: Sub-items (multiple account numbers per item). Discount codes. Report (excel) is emailed to user on a daily basis. Testing use of MSUPayment with storefront.
CASHNet Reporting Item Code 3999-GTKSELF 3999-GTKSELF 3999-GTKSELF 3999-USRGRP 3999-USRGRP Attendee Email Attendee First Name Attendee Last Name Attendee Phone Number Name of Employer scoobydo@charter Nancy scooby 920-333-1212 Teachin the kids.com.net scoobydp@charter Dean Scooby 616-777-1313 School District of Eugene, OR.net smith1234567@ch arter.net Cyntha Smith 616-111-1234 Teachin the kids.com hartford@ahsd125 Paula Hartford 616-222-2345.org cinzoooon@ahsd1 Amanda Cinzone 616-333-1234 25.org Amount 395.00 395.00 395.00 195.00 195.00 Two items sold, different data collected for each. Exported into Excel. No real transaction data is shown on this page.
Questions? Contact Info PCIDSS@ctlr.msu.edu Twitter @MSUPCI Mary Nelson nelsonm@ctlr.msu.edu Gene Willacker willacke@ctlr.msu.edu Sally Burns burnssal@msu.edu PCISecurityStandards.org
GitLab Beta Code Repository and Oauth 2.0 Troy Murray