Post on 17-Jan-2016
1
PCI PROJECT UPDATE
Jeff Gassaway, CIPP, CISSP, ISPO
2
Agenda
History
State of the Project
Future
3
PCI History (and just what is PCI?)
• Payment Card Industry Data Security Standard - PCI-DSS• Minimum standard for securing Card Holder Data Environments (CDEs)
• PCI DSS V 1.0 12/15/2004• PCI DSS V 3.0 1/1/2015• PCI DSS V 3.1 4/15/2015
4
UNM History• High Volume PCI Transactions:
• TouchNet (Bursars)• Ticketing(Pit and Popejoy)• Parking• KNME and KUNM
• Major Discussions and Work:• Cardholder Data Environment• Scope• Overall Compliance• Risks• Incidents
5
State of the Project
• PCI Initiative • Project In good health• Covers CFO areas (and others that connect)• Prepares for Provost areas
6
State of the Project II – Core Team
• Currently • Conducting site visits• Assisting with Cardholder Data Environment Diagrams• Assisting with deploying standard solutions• Coordinating and working with staff in business units
• Planned• Assist with Self-Assessment Questionnaires (SAQs)• Assist with mitigating additional risks that surface• Transfer and Train on
• Policies and Standard Operating Procedures• Schedule Learning Central PCI training
7
The Core PCI Project Team
• John Colangelo – IT PM• Jeff Gassaway – IT Project Champion• Elaine Rising – IT Business Analyst• Lucas Walker – Technical Team – Information Security• Eric Woods – Technical Team- Information Security
8
State of the Project III - Steering
• Monitor project progress • Make decisions (background checks, additional solutions)• Escalate issues• Review and approve
• Project documents (charters and standard solutions)• Policy changes (7200 and 7215)• Business process changes (demising MIDs or business lines)
9
The Steering Committee
• Jeff Gassaway – ISPO • Gil Gonzales – CIO• Keith Mellor – UNM Treasurer• Liz Metzger – UNM Controller• Laura Putz – HSC Representative• Chris Vallejos – VP Institutional Support Services• Melissa Vargas – Provost Representative
10
State of the Issues• Project budget is approved• Project plan is complete and awaiting signatures• New Merchant IDs continue to be discovered*• Current device types and locations continue to be
discovered*• All card processing units have a SP site for ongoing
management• Standard solutions will solve compliance for ~88% of MIDs• 25 (about half) of site visits complete• 30% overall project completion• On track for end of October completion• *Standard solutions have met business needs so far
11
Future
• Approve, publish and transfer UNM Policies and SOPs• Register staff for PCI training module in Learning Central• Deploy standard solutions or initiate subprojects• Validate that no Cardholder Data remains• Transition to maintenance mode• Monitor for updates to standard and tune program
accordingly