Re: Budget for PCI DSS SAQ D for Bookstore Operations

[John Ladwig <John.Ladwig () CSU MNSCU EDU>]

I once S-WAGged with a QSA and came up with about $100k up-font security infrastructure and incremental staffing, based 
on adding not-in-place technologies such as IDS, log management, file integrity monitoring, additional firewall 
management, additional internal and external scanning, and suchlike.

I'm not sure how many in-scope networks a single assurance/IT-ops staffer could manage, because we're not (currently) 
organized in a way that made that analysis possible or practical.  As it was, assuming a hypothetical high-functioning 
IT person with requisite training, we figured that ongoing ops-staffing would be at least a quarter of an FTE over a 
year.

Fortunately, ASV scanning has become quite commoditized, and there's a good selection of affordable services available, 
if your Internet-visible scope is as small as most level 4s can achieve.  Our better engineered bookstore environments 
have only one or 2 public IPs exposed and subject to ASV scans.

By comparison, we also spitballed breach costs at around $500k, based on the forensic QSA costs, escalation to Level-1 
status and its ROC requirements, penalties, etc.

So, if you could pull off deploying all the infrastructure and operational upgrades to get to a SAQ-D for $100k, then 
add in incremental operating costs, you'd need to expect a breach every 6 years or so for it to be clearly 
cost-effective to comply at a SAQ-D level.  For our level-4 merchants, that's simply not in anyone's margins.  

You could possibly do it with heroes and open source tools for somewhat less up-front cost, which would push out the 
breach frequency required for payback.

Oh - before anyone asks, the beer mat those calculations were done on became sodden and is lost to time.  I'd also be 
really interested if someone has a non-beer-mat budget sketched out, and is willing to share.

I remain convinced that the Council is going to have to bifurcate the DSS if they're going to achieve anything like 
compliance across that vast pool of small shops that are the level-4s.  Heck, level-3s are only being reported as 
having a 60% compliance rate at first examination:

  
http://storefrontbacktalk.com/securityfraud/level-3-merchants-hit-pci-compliance-at-60-percent-visa-confirms-numbers-for-the-first-time/

   -jml


> > > Joel Rosenblatt <joel () COLUMBIA EDU> 2011-08-03 10:45 >>>
How much do you have :-)

This was one of those projects that just kept on growing .. you should consider hiring a full time PCI Compliance 
person, you will also need to allocate 
(depending on the size of your operation) a security person to deal with the local scans.

We are working with Trustwave to provide an online portal to track all information, scans, provide and track training, 
do external scans, fill out SAQs, etc.

With all that was involved, it took us about a year just to get things under control (we have hundreds of MIDs and 
almost 1000 people to train)

So, with that said, a budget of a few 100K should do the trick :-)

Your mileage may (and I hope it does) vary .. we are driving a Hummer :-)

Joel

--On Wednesday, August 03, 2011 9:55 AM -0500 "Self, Dennis" <dlself () SAMFORD EDU> wrote:

> Colleagues,
>
> Thank you for all your perspectives and comments.  Does anyone have a budget they developed for attaining SAQ D 
> compliance?
>
> Kind regards,
>
> Dennis Self
> Director, IT Security & Compliance
> Technology Services
> Samford University
> (205) 726-2692
>
> From: "Henninger, Craig" <chenninger () CAMPUSGUARD COM<mailto:chenninger () CAMPUSGUARD COM>>
> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
> LISTSERV EDUCAUSE EDU>>
> Date: Wed, 3 Aug 2011 07:06:22 -0500
> To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
> EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
> Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations
>
> In most cases, it is very difficult for merchants in a higher ed environment to qualify for SAQC. This SAQ was 
> written for IP based POS devices and
> standalone workstations that run some form of POS software. If you have systems on a LAN that communicate for domain 
> login, AV signatures, etc. Then you need
> to use SAQ D.
>
> Craig
>
>
> On Aug 2, 2011, at 10:21 PM, "John Ladwig" <John.Ladwig () CSU MNSCU EDU<mailto:John.Ladwig () CSU MNSCU EDU>> wrote:
>
>
> In my experience w/ level 4 merchants and a mix of sizes of acquiring banks, the banks  won't help directly, but *if* 
> they have a preferred QSA firm, the
> QSAs may be able to help.
>
> But it'll cost you, the merchant.
>
>     -jml
>
>
> -----Original Message-----
> From: Nick Lewis
> Sent: 2011-08-02 20:46:26
> To: Nick Lewis;The EDUCAUSE Security Constituent Group Listserv
> Cc:
> Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations
>
>
> You may also want to talk to your acquiring bank to see if they can offer
> you any advice if you don't have a QSA. Your acquiring bank may help you
> work through scoping and if SAQ C or D in the environment.
>
> Nick
>
> -----Original Message-----
> From: Joel Rosenblatt
> Sent: Tuesday, August 02, 2011 2:58 PM
> To: <mailto:SECURITY () LISTSERV EDUCAUSE EDU> SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE 
> EDU>
> Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations
>
> There is also something that they call a "one hop rule" .. so, for example,
> if you get your updates from Microsoft directly (automatic update) then your
> OK, or
> if the systems you are getting your service from are NOT maintained by you
> (DNS for example), then your OK (the idea being that the chances of two
> different
> organizations screwing up at the same time is less probable)
>
> But, if your running your own AD and the machines are connecting to your AD
> server, then you need to fill out a SAQ D
>
> When in doubt, please consult with your ISV ... and remember, you can shop
> around for one that agrees with you :-)
>
> Joel
>
> --On Tuesday, August 02, 2011 2:27 PM -0500 John Ladwig
> <John.Ladwig () CSU MNSCU EDU<mailto:John.Ladwig () CSU MNSCU EDU>> wrote:
>
> > A strict reading of #2 could imply that A/V update systems, backup servers
> > and WiSUS/SCM would need to be located entirely within the Cardholder Data
> > Environment in order to retain SAQ-C status.
> >
> > Has anyone gotten a recent QSA opinion one way or the other on that issue?
> >
> >    -jml
> >
> > > > > "Bazeley, Joseph E." <bazeleje () MUOHIO EDU<mailto:bazeleje () MUOHIO EDU>> 2011-08-02 13:38 >>>
> > Why is it that I never enjoy the days where I learn something new about
> > PCI? ;)
> >
> > From the PCI docs at
> > <https://www.pcisecuritystandards.org/documents/pci_dss_saq_instr_guide_v2.0.pdf>
> > https://www.pcisecuritystandards.org/documents/pci_dss_saq_instr_guide_v2.0.pdf, here are the 6 things you need to 
> > confirm to be SAQ C:
> >
> > "1. Your company has a payment application system and an Internet
> > connection on the same device and/or same local area network (LAN);
> > 2. The payment application system/Internet device is not connected to any
> > other systems within your environment (this can be achieved via network
> > segmentation to isolate payment application system/Internet device from
> > all other systems); 3. Your company store is not connected to other store
> > locations,
> > and any LAN is for a single store only;
> > 4. Your company retains only paper reports or paper copies of receipts;
> > 5. Your company does not store cardholder data in electronic format; and
> > 6. Your company's payment application software vendor uses secure
> > techniques to provide remote support to your payment application system."
> >
> > The proxy server Joel mentioned would violate #2, which would push you
> > into SAQ D.
> >
> > Joe
> >
> > -----Original Message-----
> > From: Joel Rosenblatt [<mailto:joel () columbia edu>mailto:joel () columbia edu] 
> > Sent: Tuesday, August 02, 2011 2:08 PM
> > To: The EDUCAUSE Security Constituent Group Listserv
> > Cc: Bazeley, Joseph E.
> > Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations
> >
> > SAQ D does not only mean you are storing credit cards .. it also applies
> > when you have a "complicated network" - even if none of the machines are
> > storing
> > credit cards
> >
> > A complicated network means that machines are connected together in some
> > way - for example, if you are using a proxy server for the traffic leaving
> > your edge
> >
> > I'm not an ISV, but I've played one on TV :-)
> >
> > Joel
> >
> > --On Tuesday, August 02, 2011 2:01 PM -0400 "Bazeley, Joseph E."
> > <bazeleje () MUOHIO EDU<mailto:bazeleje () MUOHIO EDU>> wrote:
> >
> > > Can you get them to use PCI DSS SAQ C instead?  SAQ D means that they're
> > > storing credit card numbers, which will make their PCI compliance effort
> > > require
> > > more resources and increases the likelihood of a breach leading to
> > > exposed credit card numbers and the associated notification.  If they
> > > don't have an
> > > extremely good reason to store those credit card numbers (and it needs to
> > > provide an associated benefit that outweighs the cost from doing so),
> > > they should
> > > quit storing them.
> > >
> > > Regards,
> > > Joe
> > >
> > > Joe Bazeley
> > > Information Security Officer
> > > Miami University
> > > Hoyt Hall 314
> > > 513-529-9252
> > >
> > > From: The EDUCAUSE Security Constituent Group Listserv
> > > [<mailto:SECURITY () listserv educause edu>mailto:SECURITY () listserv educause edu] On Behalf Of Self, Dennis
> > > Sent: Tuesday, August 02, 2011 1:56 PM
> > > To: <mailto:SECURITY () listserv educause edu> SECURITY () listserv educause edu<mailto:SECURITY () listserv 
> > > educause edu>
> > > Subject: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations
> > >
> > > Security Friends,
> > >
> > > Have you developed a budget for PCI DSS SAQ D compliance for your
> > > bookstore operation in the recent past?  For my institution, the
> > > bookstore may be the only
> > > operation that cannot be reasonably remediated to qualify for SAQ A or B.
> > > If you are willing to share your budget, please respond offline.  Also
> > > please let
> > > me know if I may identify you and your institution to our administration.
> > > Lastly, if you reverted back in technology to dial terminals as a
> > > solution, please
> > > let me know.
> > >
> > > Kind regards,
> > >
> > > Dennis Self
> > > Director, IT Security & Compliance
> > > Technology Services
> > > Samford University
> > > (205) 726-2692
> >
> >
> >
> > Joel Rosenblatt, Manager Network & Computer Security
> > Columbia Information Security Office (CISO)
> > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> > <http://www.columbia.edu/~joel> http://www.columbia.edu/~joel 
> > Public PGP key
> > <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3> 
> > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3 
>
>
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> <http://www.columbia.edu/~joel>http://www.columbia.edu/~joel 
> Public PGP key
> <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3>http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
>  



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel 
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3