PCI Internal Controls and Auditing Requirements

Agenda

9

Introduction

PCI Governance /Advisory Team

What’s happening on campuses?

Risks of non-compliance

PCI DSS 3.2

PCI Lifecycle

Role of Internal audit

Tools for auditing PCI DSS

PCI Maturity model

Q & A

University of Alaska

America’s Arctic university – land, sea and

space grant system. Geographically

distributed across three major campuses – in

Anchorage, Fairbanks and Juneau with 17

satellite campuses and 28 facilities. As of 2016, total enrollment is 32,000

Arctic Circle 65th Parallel

• Institutes of higher education are required to maintain PCI compliance

• At disadvantage compared to other industries like banking, services and retail

• Have varied types of businesses on campus accepting credit cards for tuition, student fees, campus cards, events, dining, housing, athletics, parking, online giving

• Very difficult to have one office with knowledge of all the above – (mostly one person department)

Introduction

Campuses and Ah! Compliance• Many departments want to accept payments by credit cards,

but their needs, resources and business and system maturity differ

• E-commerce is complex and is not easy deciding who is ‘in charge’ of e-commerce –

• Acquirer banks and credit card companies require the institution is compliant to the most current standard and non-compliance results in penalties and jeopardize reputation

• Centralized policies, education, management support and communication

PCI DSS

14

14

Standard that is applied to: Merchants

Service Providers (Third Third-party vendor, gateways)

Systems (Hardware, software)

That: Stores cardholder data

Transmits cardholder data

Processes cardholder data

Applies to: Electronic Transactions

Paper Transactions

The PCI compliance - 12 security requirements

15

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

3. Protect stored data.

4. Encrypt transmission of cardholder data and sensitive information across public networks.

Maintain a Vulnerability Management Program

5. Use and regularly update antivirus software.

6. Develop and maintain secure systems and applications

The PCI compliance - 12 security requirements

16

Implement Strong Access Control Measures

7. Restrict access to data by business need-to-know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data.

11. Routinely test security systems and processes.

Maintain an Information Security Policy.

12. Establish high-level security principles and procedures.

PCI Governance Team

PCI Governance Team is a systemwide advisory team on all aspects (business, IT, compliance) of PCI and consists;- Chief Finance Officer/VP of Finance

- Controller

- Cash Manager

- Chief Information Technology Officer

- Network Ops

- Business unit managers

- IT Managers

- Internal Audit

- IT Security

- Financial Systems

-

• UA formed e-commerce committee to centralize and prioritize payment system

• Recommended by acquirer bank to be complaint with PCI – DSS.

• E-commerce committee transitioned to PCI Advisory team and chartered by VP Finance to develop PCI policy

• Hired QSA to advice and conduct vulnerability scans

• PCI Advisory team developed the PCI Administrative policy, requiring SAQ to be completed for each MID by Oct 31 every year

• PCI Advisory team meets every month to review scan status, update and prioritize all PCI tasks

University of Alaska’s PCI

PCI Governance/Advisory Team

• Deficiency Reports• SAQ’s• Scope reduction efforts

Compliance Vs Validation

20

20

Compliance – Means adherence to the standard

Applies to every merchant regardless of volume

Technical and business practices

Validation – Verification that merchant (including its services providers) is compliant with the standard

Applies based on Level assigned to merchant & transaction volume

Two types of Validation

Self-Assessment

Certified by a Qualified Security Assessor (QSA)

Attestation – Letter to card issuer (bank) signed by both merchant and acquirer bank attesting that validation has been performed

PCI Council – Consortium

21

21

All merchants are subject to the standard and to card association rules

No exemption provided to anyone

Immunity does not apply because Requirement is contractual - not regulatory or statutory

Card associations can be selective who they provide services to

Merchants accept services on a voluntary basis

Merchants agree to abide by association rules when they execute e-merchant bank agreement

Merchant banks are prohibited by association rules from indemnifying a merchant from not being compliant with the standard

Association Rules require merchant banks to monitor merchants to ensure their compliance

Failure of a merchant bank to require compliance jeopardizes the merchant bank bank’s right to continue to be a merchant banks

Any fines levied are against the merchant bank, which in turns passes the fines onto the merchant

Two Components to Validation

22

Annual Assessment Questionnaire Required of all merchants – regardless of level

Applies to both technical and business

Security Vulnerability Scan - Quarterly Required for External facing IP addresses

Web applications

POS Software and databases on networks

Applies even if there is a re-direction link to third third-party

Must be performed by Approved Scanning Vendor (ASV)

Validation based on Level assigned to merchant, based on transaction volume

Three components to Compliance

Self Assessment Questionaires All registered MID’s

Make sure MID is properly categorized (SAQ A-D)

Deficiency Reports

Vulnerability Scans Clean Scans

Assess –what level of risk is acceptable (low-medium-high)

Certified by a Qualified Security Assessor (QSA)

Update Policy/Procedure

Include all recent changes

SAQ - PCI DSS Version 3.2Face-to-Face and Mail/Telephone Only eCommerce Only

B POS analog not connected to IP * A Card-not-present fully outsourced *

B-IP POS connected to IP * # A-EP Outsourced, but website redirect can impact security of payment * #

C-VT Virtual Terminal IP, dedicated or segmented, and keyed only * #

C POS Software connected to IP, dedicated or segmented* #

P2PE-HW

POS hardware managed w/ Point to Point Encryption *

D Cardholder data is stored # D Cardholder data is either processed, transmitted, or stored #

Combination of Face-to-Face and eCommerce

D All merchants not included entirely in any one of the above, or where cardholder data is stored (Systems are connected / Not segmented) #

* Indicates cardholder data is not stored; # Indicates vulnerability scanning required.-

Threat – Detect, Response and Recovery

25Source: Cisco Threat Report

6Control

Objectives 12Core

Requirements290+

Audit

Procedures

Key changes Multi factor authentication for admins (8.3.1)

5 new sub requirements for service providers (3,10,11,12)

2 new appendices

SSL/TLS migration deadline

Designated entities supplemental validation

Changing payment and threat

environment

Breach reports and compromise

trends

Feedback from industry

PCI DSS 3.2 - Threat is the main driver

PCI Lifecycle

Treasury/Controller Business unit IT Security Compliance Legal Audit Risk Services

PCI lifecycle - Discussion

28

1. Policy – authoritative source by which processes/actions are measured

2. Inventory – an accounting conducted by the auditee to validate fiduciary responsibilities are fulfilled

3. Prioritize – a determination of whether the auditee has evaluated assets and risks while “getting the job done”

PCI lifecycle – Continued…

29

4. Vulnerabilities – the weak link in the chain. Is a process in place to find vulnerabilities? Can the auditor find them?

5. Threats – what threats are known? Is a process in place to watch for new threats? Does the auditee have a process to eliminate, mitigate, or respond to threats?

6. Risk – the optimization of risk. Is risk reduced to acceptable levels? Risk to people, revenue, assets, and reputation? Evaluate decision to accept, avoid, reduce, or transfer the risk.

30

7. Remediation – when inadequacies are found, the auditor will want to see a plan to remedy the situation. The auditor will follow-up to validate that the remediation plan was implemented and works.

8. Measure – accounting is specific and measurable… auditors want to see the quantitative and qualitative results. Bean counters…

9. Compliance – a determination of how closely processes are aligning with authoritative guidance

PCI lifecycle – Continued…

Assess Risk

The product of:

Assets

Vulnerabilities

Threats

Based upon the criticality of AVT

Focus your resources on the true risk

See handout – spreadsheet #1

32

Tools for Auditing PCI DSS in Your Institution

The Audit Process

Role of Internal Audit

33

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. ”

The Institute of Internal Auditors

Audit – Effective tool

34

Focus on risk of occurrences that could prevent the University from achieving its goals

Risk factors:

Impact

Probability

Controls

There are many types of risk – non-compliance, fraud, improper reporting, ineffective or inefficient use of resources, reputational/credibility loss, etc.

Focus on areas with high risk and high probability that controls are not in place or are weak

Audit – Internal Controls

35

Internal controls are processes designed to provide reasonable assurance regarding the achievement of an organization’s objects related to:

Effectiveness and efficiency of operations

Reliability of financial reporting

Compliance with applicable laws, regulations and policies

36

Authoritative Guidance

Federal statutes and regulations governing financial and personally identifiable data (GLBA, HIPAA, FERPA, FISMA)

State statutes and regulations governing financial and personally identifiable data

PCI DSS

The PCI Standards available from the PCI SSC Document Library: https://www.pcisecuritystandards.org/document_library

Contract with acquiring bank

Your institution’s own PCI regulations, policies, and procedures

Overview of Process

37

Audit Plan set by Audit Committee or governing structure

Planning

Conduct research on topic

Set scope, usually set by cardholder data environment

Develop audit program, internal control questionnaire (ICQ), preliminary request for information

Conducting fieldwork

Internal Control Questionnaires (Refer to hand outs)

Test work

Reporting

Planning

38

Planning and Risk Assessment Guide

Solicitation for Concerns

Preliminary Survey

Data Analysis and Sampling Methodology

Risk and Fraud Risk Assessment

Prior Audits

Authoritative Guidance

Background Information

Auditor Independence Statement

Scope and Objectives Memo

Entrance Letter

Preliminary Request for Information

Entrance Meeting

Key Contacts

Planning Meetings

Field Work

39

Use program to evaluate information provided from prior steps (Prelim Info Request, ICQ’s, meetings, etc)

Assessment of environment

Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)

Documentation of compensating controls

Attestation of Compliance and Action Plan for Non-Compliant Requirements (if applicable)

Approved Scanning Vendor (ASV) scan reports

Vendor SSAE-16 (Statement of Standards for Attestation Engagement) reports

Reporting

40

Deliverables: Report, memo

Provide findings and recommendations

Five elements of audit findings: Condition, criteria, cause, consequence (effect), corrective action (recommendation)

Quality of Internal Audit Report

Objective – Comments and opinions should be objective and unbiased

Clarity – Simple and straightforward

Accuracy – Comments correct and on-point

Brevity – Concise

Timeliness – Issued promptly after fieldwork

Reporting – continued…

41

What was found

Why it happened

What is required

What effect it has

Recommendation for improvement

Response – who, when and how

This can be combined with the; Gap Assessment Vulnerability scan reports Penetration test reports

Granularity

42

Determined by:

Risk-based auditing

Compliance-based auditing

Time

Scope

Sample Documents

• Program

• Preliminary Info Request

• ICQs

• Other helpful docs at:

– https://www.pcisecuritystandards.org

Level Category Description

0 Not performed Complete lack of any recognizable processes. The institution has not even recognized that there is an issue to be addressed.

1 Performed Informally:

There is evidence that the institution has recognized that the issues exist and need to be addressed. There are no standardized processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganized.

2 Planned and Tracked

Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely.

3 Well Defined and Communicated

Procedures have been standardized, documented, and communicated through training. It is mandated that these processes should be followed; however, it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.

4 Managed and Measurable

Management monitors and measures compliance with procedures and takes action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.

5 Continuously Improved

Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity as recommended by the most current PCI DSS , providing tools to improve quality and effectiveness, making the institution quick to adapt.

PCI Maturity Model

Conclusions

• PCI compliance is not a one time thing – it’s constantly changing

• Dissemination and training are very critical

• Assess your environment

• Do not hesitate to file deficiency reports and work on them

• Internal audit is a important tool to enforce compliance

45