Web Advisory Committee June 17, 2009. Implementing E-commerce at UW Current Status and Future...
-
Upload
preston-caldwell -
Category
Documents
-
view
214 -
download
0
Transcript of Web Advisory Committee June 17, 2009. Implementing E-commerce at UW Current Status and Future...
![Page 1: Web Advisory Committee June 17, 2009. Implementing E-commerce at UW Current Status and Future Plans PCI Data Security Standard Questions.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649da05503460f94a8b71a/html5/thumbnails/1.jpg)
Web Advisory CommitteeJune 17, 2009
![Page 2: Web Advisory Committee June 17, 2009. Implementing E-commerce at UW Current Status and Future Plans PCI Data Security Standard Questions.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649da05503460f94a8b71a/html5/thumbnails/2.jpg)
Implementing E-commerce at UW Current Status and Future Plans PCI Data Security Standard Questions
![Page 3: Web Advisory Committee June 17, 2009. Implementing E-commerce at UW Current Status and Future Plans PCI Data Security Standard Questions.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649da05503460f94a8b71a/html5/thumbnails/3.jpg)
Prepare an e-commerce business plan. Obtain approval from Financial Systems Mgmt. Committee. Organize project. Obtain bank merchant account & Beanstream account. Design/build application or install packaged application or
configure hosted application according to standards (PCI, Bank, UW).
Integrate with Beanstream if not hosted. Test. Review/signoff by Finance and Security. Go – live.
![Page 4: Web Advisory Committee June 17, 2009. Implementing E-commerce at UW Current Status and Future Plans PCI Data Security Standard Questions.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649da05503460f94a8b71a/html5/thumbnails/4.jpg)
Describe the products or services to be offered and the rationale for offering them via e-commerce.
Provide estimated annual transaction and dollar volume. Describe the business process to handle the additional workload from the
e-commerce function, including the accounting, maintenance, and reconciliation of general ledger accounts and the credit card operation.
Indicate whether the operation currently accepts credit cards. Identify the hardware requirements and hardware location. Identify the source of technical support. Identify areas or departments that need to be involved in the development
and implementation of your e-commerce initiative; examples may include Finance, Information Systems and Technology, or Procurement and Contract Services.
Identify the working group to develop the initiative.
![Page 5: Web Advisory Committee June 17, 2009. Implementing E-commerce at UW Current Status and Future Plans PCI Data Security Standard Questions.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649da05503460f94a8b71a/html5/thumbnails/5.jpg)
Must use Beanstream for credit card processing. Beanstream provides multiple integration methods. UW uses Beanstream’s hosted payment page to
ensure security, privacy, and for easier PCI compliance. No credit card information is stored on a UW server.
IST provides an e-commerce server to host Linux applications.
Use of other, secure servers is acceptable.
![Page 6: Web Advisory Committee June 17, 2009. Implementing E-commerce at UW Current Status and Future Plans PCI Data Security Standard Questions.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649da05503460f94a8b71a/html5/thumbnails/6.jpg)
May use a hosted shopping cart / event management site. Little experience with this at UW.
Must use Beanstream for credit card payment processing in all cases.
![Page 7: Web Advisory Committee June 17, 2009. Implementing E-commerce at UW Current Status and Future Plans PCI Data Security Standard Questions.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649da05503460f94a8b71a/html5/thumbnails/7.jpg)
Retail Services Housing◦ Residence deposits◦Off campus housing landlord fees
Watcard Parking CEMC Events and conferences come and go
![Page 8: Web Advisory Committee June 17, 2009. Implementing E-commerce at UW Current Status and Future Plans PCI Data Security Standard Questions.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649da05503460f94a8b71a/html5/thumbnails/8.jpg)
Continuing Education Conference Centre Food Services
![Page 9: Web Advisory Committee June 17, 2009. Implementing E-commerce at UW Current Status and Future Plans PCI Data Security Standard Questions.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649da05503460f94a8b71a/html5/thumbnails/9.jpg)
UW approved, hosted shopping cart system. UW approved, hosted event/conference system. Hosting will significantly reduce implementation effort
for all UW participants. Will make small volume e-commerce sites more
feasible.
![Page 10: Web Advisory Committee June 17, 2009. Implementing E-commerce at UW Current Status and Future Plans PCI Data Security Standard Questions.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649da05503460f94a8b71a/html5/thumbnails/10.jpg)
PCI = Payment Card Industry (Amex, Discover, JCB, MC, Visa)
PCI Data Security Standard (DSS) PCI DSS v1.2 released October 2008 72 page document Consistent security measures around the processing,
storage, and transmission of credit card data A nice baseline of security measures for any
application
![Page 11: Web Advisory Committee June 17, 2009. Implementing E-commerce at UW Current Status and Future Plans PCI Data Security Standard Questions.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649da05503460f94a8b71a/html5/thumbnails/11.jpg)
![Page 12: Web Advisory Committee June 17, 2009. Implementing E-commerce at UW Current Status and Future Plans PCI Data Security Standard Questions.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649da05503460f94a8b71a/html5/thumbnails/12.jpg)
Depends on how credit card data is handled
SAQ = Self Assessment Questionnaire
Assessment from an external QSA
Regular network scans of e-commerce sites
SAQ Validation
TypeDescription SAQ:
V1.2
1
Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
A
2 Imprint-only merchants with no electronic cardholder data storage B
3 Stand-alone terminal merchants, no electronic cardholder data storage B
4Merchants with POS systems connected to the Internet, no electronic cardholder data storage
C
5
All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an
SAQ.
D
![Page 13: Web Advisory Committee June 17, 2009. Implementing E-commerce at UW Current Status and Future Plans PCI Data Security Standard Questions.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649da05503460f94a8b71a/html5/thumbnails/13.jpg)
Our acquirer requires us to be compliant with PCI DSS All validation types apply to UW Security measures for validation type 5 are expensive Strategy: Eliminate cases where validation type 5 apply
![Page 14: Web Advisory Committee June 17, 2009. Implementing E-commerce at UW Current Status and Future Plans PCI Data Security Standard Questions.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649da05503460f94a8b71a/html5/thumbnails/14.jpg)
E-commerce websites must not collect, transmit or store credit card information
Reduce scope: Isolate IP-based PoS terminals from the rest of the campus network
Include in more general security policies and procedures
![Page 15: Web Advisory Committee June 17, 2009. Implementing E-commerce at UW Current Status and Future Plans PCI Data Security Standard Questions.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649da05503460f94a8b71a/html5/thumbnails/15.jpg)
Heavy fines from the acquiring bank Bank could suspend the University’s ability to process
any credit card
![Page 16: Web Advisory Committee June 17, 2009. Implementing E-commerce at UW Current Status and Future Plans PCI Data Security Standard Questions.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649da05503460f94a8b71a/html5/thumbnails/16.jpg)
http://finance.uwaterloo.ca/ecommerce/ecommain.html
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
https://strobe.uwaterloo.ca/~twiki/bin/view/ISTITSec/EcommerceSystemSecurityStandards
![Page 17: Web Advisory Committee June 17, 2009. Implementing E-commerce at UW Current Status and Future Plans PCI Data Security Standard Questions.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649da05503460f94a8b71a/html5/thumbnails/17.jpg)