Re: PCI

[Jim Dillon <Jim.Dillon () CUSYS EDU>]

COMMENTS INLINE IN CAPS.

-----Original Message-----
From: Penn, Blake [mailto:pennb () UWW EDU] 
Sent: Wednesday, October 04, 2006 9:48 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI

I have not heard of any universities being fined for non-compliance yet
-
but who on Earth would want to publicize such information?  Visa is only
going to fine an institution when it both 1) discovers a breach and 2)
when
the institution is in a state of non-compliance during said breach.
Even if
a breach actually occurs, an institution may choose not to report it
(although the practice of sweeping such incidents under the rug is
probably
changing now due to the proliferation of state breach disclosure laws).


I CAN SPEAK TO TWO PCI BREACHES THAT WERE MADE PART OF THE PUBLIC
RECORD.  STARTING WITH THE FIRST BREACH THE COST DUE TO FINES WERE EQUAL
WITH THE COSTS OF PRESCRIBED REMEDIATION AND FORENSICS FROM OUR MERCHANT
BANK.  SUBSEQUANT COSTS (INTERNAL OPPORTUNITY COSTS, CONTROL/PROCEDURE
DEVELOPMENT) ARE LARGELY UNMEASURABLE BUT PROBABLY SURPASS BOTH
REMEDIATION AND FINES.

THE SAME WAS TRUE WITH A SECOND BREACH.  CHOOSING TO REPORT MAY NOT BE
AN OPTION, YOU HAVE A MERCHANT BANK TO SATISFY.  GIVEN THE CURRENT STATE
OF LAWS AND REGULATIONS, YOU ARE PROBABLY FOOLISH TO NOT PUBLICLY
DISCLOSE THE BREACH AND YOUR REMEDIATION EFFORT.

The chances of experiencing a breach of this information are, IMHO, very
low
compared to the other sources of potential data breach on campus.  Just
think about it; a centralized, hardened, access-controlled,
processed-documented and closely monitored payment database versus an
departmental Excel spreadsheet with student names and SSNs floating God
knows where and with whom around your institution - which is really
going to
be a more likely point of data breach?  

CHANCES ARE NOT THE ONLY COMPONENT OF RISK.  CONSEQUENCE PLUS LIKELIHOOD
NEED TO BE CONSIDERED.  THE CONSIQUENCES OF OUR TWO, SMALL BREACHES WERE
INTOLERABLE TO THE DEPARTMENTS INVOLVED, AND QUITE SIGNIFICANT TO THE
CAMPUS INVOLVED AS WELL.  EVEN THOUGH THE FORENSIC ANALYSIS PROVED
SATISFACTORILY TO THE CARD AGENCIES THAT THE DATA HAD NOT BEEN
COMPROMISED THE LACK OF CONTROL WAS THE ISSUE THAT REQUIRED FINES AND
REMEDIATION.  GIVEN THE "ACADEMIC FREEDOM AND OPEN COMMUNICATION"
ATTITUDE OF MOST SCHOOLS THAT SEEMS TO DUMB DOWN ALL ACCOUNTABILITY AND
REASON, YOU MAY FIND THAT THERE IS A FAR HIGHER CHANCE OF BREACH THAN
YOU REALIZE.  WE FOUND WE HAD DOZENS UPON DOZENS OF SMALL OFFICES
SHARING MERCHANT IDS IN CREATIVE WAYS, WALKING CREDIT CARD INFO TO
LARGER MERCHANT OFFICES, CREATING CUSTOM WEB SOLUTIONS, STORING PAPER
COPIES... AND ON AND ON.  AFTER SOME SIGNIFICANT WORK WE NOW HAVE ONLY A
DOZEN OR SO DEPARTMENTS THAT MUST BE SCANNED QUARTERLY AND MEET FULL
COMPLIANCE STANDARDS.  MOST OF THE SMALLER OPERATIONS HAVE SEEN THE
LIGHT AND GOTTEN OUT OF THE BUSINESS OR TRANSFERRED RISK TO AN EXTERNAL
AGENCY (SUCH AS VERISIGN.)

ADDITIONALLY, THE SOURCES OF PCI DATA ARE MUCH GREATER THAN YOU MIGHT
IMAGINE.  MANY OLD OR CUSTOM SYSTEMS WILL INCLUDE TRANSACTION LOGGING,
AND OFTEN THOSE LOGS (MEANT FOR SECURITY/INTEGRITY PURPOSES) WILL LITTER
A DRIVE WITH TEXT COPIES OF PCI CONTROLLED INFORMATION WITHOUT THE
KNOWLEDGE OF LOCAL PROGRAM ADMINISTRATORS.  ANY BREACH OF SUCH A SYSTEM
MUST IMMEDIATELY BE ASSUMED TO BE AN EXPOSURE OF CREDIT CARD INFORMATION
SINCE THE FILES ARE COMMONLY TEXT FILES.  THERE ARE ALSO MANY WAYS THAT
CREATIVE DEPARTMENTS WILL TACK ON SHADOW SYSTEMS, MAKE PAPER COPIES, OR
SIMPLY CREATE POORLY SECURED APPLICATIONS.

Being anywhere near compliance with the PCI DSS in most cases and in
most
environments is going to mitigate your risk down to a very acceptable
level
- again these standards are from the financial sector which has far
stricter
security standards than almost all other sectors.  So even if you are
not in
strict compliance, preventing an incident will likely go far to protect
you
against fines and other penalties.  That being said, we aim for full
compliance here and I think that it is a good goal for most institutions
to
do so.  

HISTORY PROVES YOU WRONG HERE.  "NEAR COMPLIANCE" IS NOT ENOUGH AND HAS
NOT PREVENTED SIGNIFICANT FINES.  PERHAPS IT HAS REDUCED THE FINES BUT
THEY HAVE BEEN UNACCEPTABLE COSTS.  THERE IS NO EXCUSE FOR
NON-COMPLIANCE ON YOUR BEHALF TO YOUR CONTRACTED REQUIREMENTS.

CONSEQUENCES FOR OUR BREACHES, MOST WOULD CONSIDER THEM "SMALL" AND
"MILD" INCIDENTS, HAVE INCLUDED EXTERNAL FORENSIC EXAMS, EXTERNAL
AUDITS, FINES, REMEDIATION AND NOTIFICATION COSTS, PROGRAMMATIC AND
POLICY IMPLEMENTATION, DISCOVERY AND POLICY DEPLOYMENT, AND A LOT OF
INTERRUPTION AND UNWANTED PUBLIC PRESS AND ATTENTION.  ADDITIONALLY, DUE
TO THIS ATTENTION, WE MUST NOW COMPLY AT A HIGHER LEVEL, AND OUR
CONSEQUENCES ARE GREATER FOR THE NEXT BREACH, THUS DESPITE ALL OF OUR
REMEDIATION, ONE MIGHT SAY OUR RISK IS GREATER DUE TO THE HIGHER
CONSEQUENCE.

I HOPE THIS IS INFORMATIVE...

JIM 

*****************************************
Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon () cusys edu
303-492-9734
*****************************************