PCI Security Awareness for ECU Payment Card Merchants

Transcription

1 PCI Security Awareness for ECU Payment Card Merchants Read this document carefully. Sign, date, and return the last page to your departmental PCI coordinator, who is required to store the documentation for 1 year. Retain the rest of the document for your reference. This document applies to all business units, personnel, contractors, and computers involved in storing, processing, transmitting, or receiving Payment Card Cardholder Data at East Carolina University. Definitions for terms used in this document: 1. PCIDSS = Payment Card Industry Data Security Standard (currently version 1.2, released in October 2008). Details of PCIDSS are available from the PCI Data Security Standards Council website at: 2. Payment Card = credit card or debit card. 3. PAN = Primary Account Number (full credit card or debit card numbers). 4. Cardholder Data = personally identifiable data associated with a PAN, expiration date, name, address, or Social Security number. 5. OSC = North Carolina Office of the State Controller. ECU business units and their employees with access to Cardholder Data must adhere to all requirements for compliance with PCIDSS. Questions about PCI compliance at ECU should be directed to Brian Heath in Financial Services. You are responsible for the security of the Cardholder Data that you store, access, process, transmit, or receive. Do not process or store Cardholder Data unless your business unit has been certified PCI compliant by ECU Financial Services. PCI compliance requirements are determined by the PCI Data Security Standards Council, acting on behalf of the major payment card companies (e.g., Visa, MasterCard). PCI compliance is mandatory and must be certified by ECU Financial Services annually or any time your card processing environment changes. Payment Card companies (e.g., Visa, MasterCard) can punish violators by revoking card processing privileges for the entire University, fining the University (starting at $500,000 per violation), and requiring onsite compliance auditing by a certified external security assessor at your expense. How to Care for Cardholder Data PCI compliance requirements depend upon your method of storing, accessing, processing, receiving, and transmitting of Cardholder Data. If you use telephone lines to process payments and/or store Cardholder Data on paper, you must comply with Section 1 of the following requirements. If you use computers to perform any of these functions electronically, you must comply with Section 2 of the following requirements. PCI Security Awareness Revised 7/16/2010 Page 1 of 6

2 Section 1. PCI Compliance for Payment Card Processing Without Computers If you use Payment Card readers that transmit and receive Cardholder Data via telephone lines and/or store Cardholder Data on paper: 1. Do not store or process any Cardholder Data until you have been certified PCI compliant by ECU Financial Services. Your certification must be renewed annually. 2. Your business practices and information security practices must be audited annually by ECU Financial Services. Results of the audit must be submitted to OSC for annual PCI certification renewal. 3. Access to Cardholder Data must be granted on a need-to-know basis. 4. During business hours, restrict Cardholder Data to a controlled-access area. 5. After business hours, keep Cardholder Data in a locked container (e.g., file cabinet, vault). Only people who have a need to access Cardholder Data should have keys, combinations, or passwords that give them access to the Cardholder Data. 6. Dispose of Cardholder Data in a secure manner as soon as your business need for it expires. Use a cross-cut shredder or a certified shredding service. Never throw Cardholder Data in the trash. 7. If you use keys to restrict access to Cardholder Data, you must maintain a current access list of all personnel possessing those keys. If someone s need to access Cardholder Data expires, their key must be returned immediately and the key list must be updated immediately. If a key is lost, the locked must be changed immediately and new keys must be issued immediately. 8. If you use a combination lock to restrict access to Cardholder Data, you must maintain a current access list of all personnel possessing the combination. If someone s need to access Cardholder Data expires, the combination must be changed immediately and the access list must be updated immediately. 9. Never store the CVV code (the 3- or 4-digit number printed on the signature line of a Payment Card) for any reason. 10. Avoid sending or receiving Cardholder Data via . If you must send Cardholder Data via , you must use encryption (minimum of 128-bit cipher strength; 256-bit AES encryption is strongly recommended). Check with ITCS for available encryption solutions. 11. Check with University Financial Services if you have questions about storage or processing of Cardholder Data. 12. Any change in your processing or storage of Cardholder Data must be certified PCI compliant by ECU Financial Services before you implement the change. Section 2. PCI Compliance for Payment Card Processing With Computers If you use computers to access, process, transmit, or receive Cardholder Data electronically: 1. You must comply with all requirements in Section 1, if you also store Cardholder Data on paper. 2. Do not process any Cardholder Data until you have been certified PCI compliant by ECU Financial Services. Your certification must be renewed annually. 3. Do not store full Payment Card numbers electronically for any reason. Do not store full Payment Card numbers on workstations (desktops or laptops), Piratedrive, PDAs, tablets, or any other computing or storage devices, even if the data is encrypted. You may store the last 4 digits of the PAN electronically, but not the full number. 4. Never store the CVV code (the 3- or 4-digit number printed on the signature line of a Payment Card) for any reason. 5. Your business practices, information security practices, and computing environment (workstations, servers, network, storage, disposal) must be audited for PCI compliance PCI Security Awareness Revised 7/16/2010 Page 2 of 6

3 annually by ECU Financial Services. Your computers and network must be scanned monthly for vulnerabilities by Trustwave, a certified scanning vendor employed by and reporting to OSC. Results of the audits must be submitted to OSC for annual PCI certification renewal. 6. Any vendor supporting your card processing infrastructure (hosting service, gateway, application software) must be certified PCI compliant and provide you with proof annually. Your business unit is responsible for keeping this proof on file at all times. If your vendor loses their PCI certification, your PCI certification is voided immediately. 7. The ECU wireless network is not PCI compliant. Never use the ECU wireless network to access, process, transmit, or receive Cardholder Data. Never connect an ECU computer used for processing Cardholder Data to any wireless network. 8. All computers used to store, access, process, receive, or transmit Cardholder Data must be on a special network separated from the rest of the ECU campus computer network. Traffic on this special network will be monitored, recorded, and retained. 9. Dispose of Cardholder Data securely as soon as your business need for it expires. 10. Access to Cardholder Data must be granted on a need-to-know basis. If you use passwords to restrict access to Cardholder Data, you must maintain a current access list of all personnel having access to Cardholder Data. You must require the use of strong passwords for access to Cardholder Data (see the Passwords section of this document for details about creating strong passwords). If someone s need to access Cardholder Data expires, their access to the Cardholder Data must be deleted immediately and the access list must be updated immediately. 11. Avoid sending or receiving Payment Card information via . If you must send Payment Card information via , you must use encryption (minimum of 128-bit; 256-bit AES encryption is strongly recommended). Check with ITCS for available and approved encryption solutions. 12. Check with ECU Financial Services if you have questions about personal or departmental storage or processing of Cardholder Data. 13. Any change in your processing or storage of Cardholder Data must be certified PCI compliant by ECU Financial Services before you implement the change. Changing your processing without prior certification voids your PCI compliance. Potential changes include, but are not limited to, the following: a. payment gateway b. third-party vendor for hardware, software, or hosting services c. Payment Card processing software versions (on server or workstation) d. location and physical access to servers or workstations e. installation of new workstations or computing devices of any kind f. network jack used to connect server or workstation to PCI-compliant section of ECU network. Passwords You are responsible for the security of your user account (userid). Your computer access is tracked by your user userid, which is protected by a password. Never allow anyone else access to your userid. If someone else gains access to your userid by guessing/stealing your password or if you permit someone else to login as you, authorities must assume that all actions associated with your userid were performed by you. Protect yourself by using passwords wisely. Use passwords whenever possible. o Never use a blank password. o Change all default passwords immediately. PCI Security Awareness Revised 7/16/2010 Page 3 of 6

4 Create strong passwords (passphrases) by following these guidelines: o Make your password at least 8 digits in length. o Don t use repeating digits. o Use a combination of numbers and letters. o Mix upper- and lower-case letters. o Use special characters #, &, %, etc.) within in the password, not just at the beginning or end. o Never use dictionary words (including foreign or archaic languages), your account name, proper names, zip codes, or room numbers in your password. Keep your passwords secret. o Don t write your password and hide it under the telephone, under the keyboard, or in a desk drawer. o Don t reveal your password to anyone, including your superiors. If anyone pressures you to reveal your password, they are in violation of University policy, which forbids the sharing of userids or passwords. Notify ECU Human Resources of the violation immediately your anonymity will be protected. o When using a computer or accessing a website, don t use any option that offers to save my password for the next time or automate my login. This option will store your password, which is just as bad as writing it down. Stored passwords can be stolen and used against you. Change all your passwords at least every 90 days. o Don t re-use old passwords. o Don t use the same password for multiple systems. Secure Computing Practices Any workstation that contains or processes Payment Card information must be treated as a highsecurity computer. Users will be responsible for the security of their high-security computers, which will be subject to automated network security scans. To ensure the proper security and operation of your high-security computer: Use antivirus software; never disable it. Update antivirus definitions daily; your campus computer should do this automatically if it was configured by ITCS. Scan all your files weekly to protect against malware (malicious software) that can steal your passwords, destroy your data, or take control of your computer. ITCS provides and installs Symantec Endpoint Protection (SEP) for campus PCs at no charge. If your computer begins acting strangely, slows down significantly, or takes a very long time to start, it may be infected with malware (malicious software used by hackers). Call the ECU Help Desk at and open a service ticket to have your computer checked by a qualified technician. Tell the Help Desk representative that your computer processes Payment Card information and should be assigned an emergency status for investigation. A firewall must be used on any computer that connects to a network or the Internet. Windows XP contains a built-in firewall. If your Windows XP computer has Service Pack 2 installed, the firewall is enabled by default. If ITCS installed your computer, this has already been done for you. Whenever you leave your computer, lock it. Press the CTRL, ALT, and DEL keys simultaneously, then release them and choose Lock Computer. All current processes and PCI Security Awareness Revised 7/16/2010 Page 4 of 6

5 active programs will continue to run, but unauthorized individuals can t use your computer. When you return to your computer, login again and resume working. Use a password-protected screen saver and configure it to blank your screen after 10 minutes of inactivity. Use only screen savers included in your Windows operating system. Never use an aftermarket screen saver on your work computer. Turn off your computer if it will be idle for more than a few hours, especially if it will be idle overnight. A computer can t get hacked or infected with malware while it s turned off. If a computer you use has been hacked, change ALL your passwords on ALL systems you access. Use a different computer known to be secure to change your passwords NOW! Report all information security incidents to Financial Services. Computer Software Update and Use Prudently Improper installation or use of computer software can nullify all measures taken to secure your computer and its computing environment. University-owned computers connected to the ECU campus network have their Microsoft operating systems, Microsoft Office applications, and Symantec Endpoint Protection automatically updated by ITCS. If you install software on your computer that is not originally installed by ITCS, you are responsible for updating and securing it. Do not install any software that is not required to perform your job functions. If you ve already installed it, uninstall it. If you don t know how to uninstall it, call the Help Desk and open a Service Request to have a qualified technician service the computer. Examples of software to avoid: Peer-to-peer (P2P) file sharing software. (e.g., Kazaa, gnutella, BearShare, Grokster, Morpheus, Napster, LimeWire, etc.). Many computer worms are optimized to spread via P2P software. Instant messaging (AOL Instant Messenger, Yahoo, etc.) and chat software. Add-on toolbars for Internet browsers Desktop search tools Aftermarket screen savers (especially those that automatically download pictures from the Internet) Alternate (non-microsoft) (e.g., gmail, hotmail) Non-Microsoft add-ons to Outlook (e.g., cute icons) Weather-monitoring software News-monitoring software Stock market-monitoring software Non-Microsoft media players (e.g., Quicktime, RealPlayer) Web server software (e.g., Internet Information Server, Tomcat) Shopping or coupon software (e.g., Claria, formerly named Gator) Password-caching software (stores your userids/passwords at remote location) Online gambling software Remote control and remote access software Use prudently. Never open any attachment, regardless of its source. Save the file to your computer s hard drive and scan it for viruses. PCI Security Awareness Revised 7/16/2010 Page 5 of 6

6 PCI Security Awareness Certification I have read the document titled PCI Security Awareness for Campus Payment Card Merchants. I understand the document s contents and will comply with them. Name (print) Date Signature PCI Security Awareness Revised 7/16/2010 Page 6 of 6