Educause Security Discussion mailing list archives
Re: PCI
From: Jim Dillon <Jim.Dillon () CUSYS EDU>
Date: Wed, 4 Oct 2006 13:18:48 -0600
COMMENTS INLINE IN CAPS. -----Original Message----- From: Penn, Blake [mailto:pennb () UWW EDU] Sent: Wednesday, October 04, 2006 9:48 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI I have not heard of any universities being fined for non-compliance yet - but who on Earth would want to publicize such information? Visa is only going to fine an institution when it both 1) discovers a breach and 2) when the institution is in a state of non-compliance during said breach. Even if a breach actually occurs, an institution may choose not to report it (although the practice of sweeping such incidents under the rug is probably changing now due to the proliferation of state breach disclosure laws). I CAN SPEAK TO TWO PCI BREACHES THAT WERE MADE PART OF THE PUBLIC RECORD. STARTING WITH THE FIRST BREACH THE COST DUE TO FINES WERE EQUAL WITH THE COSTS OF PRESCRIBED REMEDIATION AND FORENSICS FROM OUR MERCHANT BANK. SUBSEQUANT COSTS (INTERNAL OPPORTUNITY COSTS, CONTROL/PROCEDURE DEVELOPMENT) ARE LARGELY UNMEASURABLE BUT PROBABLY SURPASS BOTH REMEDIATION AND FINES. THE SAME WAS TRUE WITH A SECOND BREACH. CHOOSING TO REPORT MAY NOT BE AN OPTION, YOU HAVE A MERCHANT BANK TO SATISFY. GIVEN THE CURRENT STATE OF LAWS AND REGULATIONS, YOU ARE PROBABLY FOOLISH TO NOT PUBLICLY DISCLOSE THE BREACH AND YOUR REMEDIATION EFFORT. The chances of experiencing a breach of this information are, IMHO, very low compared to the other sources of potential data breach on campus. Just think about it; a centralized, hardened, access-controlled, processed-documented and closely monitored payment database versus an departmental Excel spreadsheet with student names and SSNs floating God knows where and with whom around your institution - which is really going to be a more likely point of data breach? CHANCES ARE NOT THE ONLY COMPONENT OF RISK. CONSEQUENCE PLUS LIKELIHOOD NEED TO BE CONSIDERED. THE CONSIQUENCES OF OUR TWO, SMALL BREACHES WERE INTOLERABLE TO THE DEPARTMENTS INVOLVED, AND QUITE SIGNIFICANT TO THE CAMPUS INVOLVED AS WELL. EVEN THOUGH THE FORENSIC ANALYSIS PROVED SATISFACTORILY TO THE CARD AGENCIES THAT THE DATA HAD NOT BEEN COMPROMISED THE LACK OF CONTROL WAS THE ISSUE THAT REQUIRED FINES AND REMEDIATION. GIVEN THE "ACADEMIC FREEDOM AND OPEN COMMUNICATION" ATTITUDE OF MOST SCHOOLS THAT SEEMS TO DUMB DOWN ALL ACCOUNTABILITY AND REASON, YOU MAY FIND THAT THERE IS A FAR HIGHER CHANCE OF BREACH THAN YOU REALIZE. WE FOUND WE HAD DOZENS UPON DOZENS OF SMALL OFFICES SHARING MERCHANT IDS IN CREATIVE WAYS, WALKING CREDIT CARD INFO TO LARGER MERCHANT OFFICES, CREATING CUSTOM WEB SOLUTIONS, STORING PAPER COPIES... AND ON AND ON. AFTER SOME SIGNIFICANT WORK WE NOW HAVE ONLY A DOZEN OR SO DEPARTMENTS THAT MUST BE SCANNED QUARTERLY AND MEET FULL COMPLIANCE STANDARDS. MOST OF THE SMALLER OPERATIONS HAVE SEEN THE LIGHT AND GOTTEN OUT OF THE BUSINESS OR TRANSFERRED RISK TO AN EXTERNAL AGENCY (SUCH AS VERISIGN.) ADDITIONALLY, THE SOURCES OF PCI DATA ARE MUCH GREATER THAN YOU MIGHT IMAGINE. MANY OLD OR CUSTOM SYSTEMS WILL INCLUDE TRANSACTION LOGGING, AND OFTEN THOSE LOGS (MEANT FOR SECURITY/INTEGRITY PURPOSES) WILL LITTER A DRIVE WITH TEXT COPIES OF PCI CONTROLLED INFORMATION WITHOUT THE KNOWLEDGE OF LOCAL PROGRAM ADMINISTRATORS. ANY BREACH OF SUCH A SYSTEM MUST IMMEDIATELY BE ASSUMED TO BE AN EXPOSURE OF CREDIT CARD INFORMATION SINCE THE FILES ARE COMMONLY TEXT FILES. THERE ARE ALSO MANY WAYS THAT CREATIVE DEPARTMENTS WILL TACK ON SHADOW SYSTEMS, MAKE PAPER COPIES, OR SIMPLY CREATE POORLY SECURED APPLICATIONS. Being anywhere near compliance with the PCI DSS in most cases and in most environments is going to mitigate your risk down to a very acceptable level - again these standards are from the financial sector which has far stricter security standards than almost all other sectors. So even if you are not in strict compliance, preventing an incident will likely go far to protect you against fines and other penalties. That being said, we aim for full compliance here and I think that it is a good goal for most institutions to do so. HISTORY PROVES YOU WRONG HERE. "NEAR COMPLIANCE" IS NOT ENOUGH AND HAS NOT PREVENTED SIGNIFICANT FINES. PERHAPS IT HAS REDUCED THE FINES BUT THEY HAVE BEEN UNACCEPTABLE COSTS. THERE IS NO EXCUSE FOR NON-COMPLIANCE ON YOUR BEHALF TO YOUR CONTRACTED REQUIREMENTS. CONSEQUENCES FOR OUR BREACHES, MOST WOULD CONSIDER THEM "SMALL" AND "MILD" INCIDENTS, HAVE INCLUDED EXTERNAL FORENSIC EXAMS, EXTERNAL AUDITS, FINES, REMEDIATION AND NOTIFICATION COSTS, PROGRAMMATIC AND POLICY IMPLEMENTATION, DISCOVERY AND POLICY DEPLOYMENT, AND A LOT OF INTERRUPTION AND UNWANTED PUBLIC PRESS AND ATTENTION. ADDITIONALLY, DUE TO THIS ATTENTION, WE MUST NOW COMPLY AT A HIGHER LEVEL, AND OUR CONSEQUENCES ARE GREATER FOR THE NEXT BREACH, THUS DESPITE ALL OF OUR REMEDIATION, ONE MIGHT SAY OUR RISK IS GREATER DUE TO THE HIGHER CONSEQUENCE. I HOPE THIS IS INFORMATIVE... JIM ***************************************** Jim Dillon, CISA, CISSP IT Audit Manager, CU Internal Audit jim.dillon () cusys edu 303-492-9734 *****************************************
Current thread:
- PCI Mclaughlin, Kevin L (mclaugkl) (Oct 04)
- <Possible follow-ups>
- Re: PCI Valdis Kletnieks (Oct 04)
- Re: PCI Theresa M Rowe (Oct 04)
- Re: PCI Conor McGrath (Oct 04)
- Re: PCI Brad Judy (Oct 04)
- Re: PCI Penn, Blake (Oct 04)
- Re: PCI Brad Judy (Oct 04)
- Re: PCI Jim Dillon (Oct 04)
- Re: PCI Mclaughlin, Kevin L (mclaugkl) (Oct 04)
- Re: PCI Steve Lovaas (Oct 05)