Policies and Procedures

Transcription

1 Policies and Procedures Provided by PROGuard The following are policies and procedures which need to be enforced to ensure PCI DSS compliance. In order to answer yes to the questions and pass the SAQ, it is imperative that you review, understand, and enforce the policies and procedures outlined below. If you have any questions, please contact ProGuard at x295. I. Ensure that all employees have been trained and educated on the policies and procedures. Each employee is to sign the Employee Acknowledgement. (Employee Compliance Form) II. PCI DSS Requirement 1 Install and maintain a firewall configuration to protect cardholder data. A. Please see attached diagram to identify how your network looks. A VPN (Datawire) is required by the processor to process over the Internet. A basic diagram is provided with and without a router. Please print out the diagram that identifies your network and keep it in your compliance binder. III. PCI DSS Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters. A. All passwords are changed by management and new ones are assigned to authorized personnel. NOTE: Question 2.1.1(a) and 2.1.1(b) of the SAQ refers to wireless operations, if you do not use a wireless system answer the question N/A. When you finish the questionnaire a box will pop in which you must write in an explanation about your answer. An example would be no wireless at our location. 2.3 Ensure that your router setting has disabled HTTP or TELNET. IV. PCI DSS Requirement 3.2 All systems must adhere to the following requirements regarding storage of sensitive authentication data after authorization (even if encrypted). A. POS systems are to be updated with the most current version of software that is provided by the manufacturer which does not store the full contents of any track from the magnetic stripe (located 1

2 on the back of a card, contained in a chip, or elsewhere). Document all software upgrades on the Processing Equipment Maintenance Form. B. Do not store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions and do not store the personal identification number (PIN) or the encrypted PIN block. V. PCI DSS Requirement 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). A. Truncation is performed by the POS system. B. If using a paper imprinter slip as a backup method and the document is to be stored, then all digits except the last four must be blacked out. VI. PCI DSS Requirement 4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. A. All data transmitted uses strong cryptography which is provided by the POS device. In addition, the POS device is connected to the service provider via a VPN. In some cases an additional device is used to further the encryption (Datawire). VII. PCI DSS Requirement 4.2 Never send unencrypted PANs by end-user messaging technologies (for example, , instant messaging, chat). A. When absolutely necessary to send cardholder data, other personally identifiable information, or other sensitive information via messaging technologies (including text or ), appropriate measures are taken to block out or remove the cardholder information, other personally identifiable information, or that the communicated sensitive information is rendered useless. VIII. PCI DSS Requirement 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). A. All computers connected to the in-house network are to be updated with the most up-to-date antivirus software and/or programs. (This includes sharing the router with the POS system). 2

3 IX. PCI DSS Requirement 6.1 Ensure that all system components and software have the latest vendorsupplied security patches installed. Install critical security patches within one month of release. A. As required by PCI DSS Requirement 3.2, systems are to be upgraded with the latest software and security patches within one month of release. X. PCI DSS Requirement 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. A. Each employee is given their own unique access code for POS or stand alone terminals which are to restrict the fields in which they have access. B. Employees are instructed not to share cardholder information with other employees unless deemed necessary by a supervisor. XI. PCI DSS Requirement 8.0 Assign a unique ID to each person with access to a computer, POS system or stand alone terminal. A. Assign all users a unique username before allowing them to access system components or cardholder data. B. In addition to assigning a unique ID, employ one of the following methods to authenticate all users: 1) Password or passphrase. C. Render all passwords unreadable during transmission and storage on all system components using strong cryptography based on approved standards. D. Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows: 1) Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. 2) Verify user identity before performing password resets. 3) Set first-time passwords to a unique value for each user and change immediately after the first use. 4) Immediately revoke access for any terminated users. 5) Remove/disable inactive user accounts at least every 90 days. 6) Enable accounts used by vendors for remote maintenance only during the time period needed. 7) Communicate password procedures and policies to all users who have access to cardholder data. 3

4 8) Do not use group, shared, or generic accounts and passwords. 9) Change user passwords at least every 90 days. 10) Require a minimum password length of at least seven characters. 11) Use passwords containing both numeric and alphabetic characters. 12) Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used. 13) Limit repeated access attempts by locking out the user ID after not more than six attempts. 14) Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID. 15) If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal. 16) Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users. XII. PCI DSS Requirement 9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. (POS Maintenance Form, POS and Terminal Inspection Form); (Additional For Gas Stations: Pump and Site Inspection Form, Pump Key Form, and Pump Maintenance Form, POS and Terminal Inspection Form) A. Restricted areas are appropriately identified by signage (i.e. authorized personnel only). B. All keys are to be unique to your site. C. A POS/Counter top Maintenance Form is to be completed when maintenance is done to any POS/Counter top terminal. D. Inspect terminals/pos to ensure no unauthorized cables have been attached or the terminal/pos has not been tampered with. For Gas Stations: E. If you accept cards at the pump, a daily pump and site inspection is to be done to ensure pump security. F. Use the Pump Key Form and the Pump Maintenance Form when pumps are accessed or serviced. XIII. PCI DSS Requirement 9.6 Physically secure all paper and electronic media that contain cardholder data. (Cardholder Data Form) A. Locate all paper documents (including receipts, notes, reports and faxes) and all electronic storage data such as cds, backup tapes, thumb drives, hard drives and credit/debit card processing machines which contain your customers full credit/debit card numbers. B. Determine if it is necessary to keep any paper or electronic data that contains your customers full credit/debit card numbers. We strongly recommend you do not keep any documents with the 16 4

5 digit number unless absolutely necessary. If you do have any on file, please ask yourself, Why do I need to keep this? C. If necessary for business purposes to store this data, the following rules apply: o If it is portable, electronic storage, it must be stored in a locked cabinet. o Any electronically stored data must be password secured. o A Form must be kept documenting how the cardholder data is stored and secured. XIV. PCI DSS Requirement 9.7 Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data. (Media Removal Form) A. All material moved from the secure area is marked confidential, documented on the Media Removal Data Form and transported by a document service such as Fed Ex or U.S. Post Office with a tracking number. XV. PCI DSS Requirement 9.8 Ensure management approves any and all media containing cardholder data that is moved from a secured area (especially when media is distributed to individuals). A. No material containing cardholder data is to leave the premises without the permission of management. XVI. PCI DSS Requirement 9.9 Maintain strict control over the storage and accessibility of media that contains cardholder data. A. All sensitive data is to be kept in a file or secured area which is accessible by management only. B. The file cabinet or safe containing confidential information is to be locked during business hours as well as after hours. XVII. PCI DSS Requirement 9.10 Destroy media containing cardholder data when it is no longer needed for business or legal reasons. (Media Destruction Form) A. Requirement Shred, incinerate, or pulp hard copy materials so that cardholder data cannot be reconstructed. B. Document the description of the storage data you are destroying, the date and method of destruction on the Media Destruction Form. 5

6 C. Management is to sign and date the Form and it is to be kept in the Compliance Binder. XVIII. PCI DSS Requirement 11.1 Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use. A. If wireless is in use, it is to be a closed network with the latest security protocols installed with no signal access from outside the building. NOTE: Wireless has been identified as a high security risk. If you have a wireless router, question 11.1 of the SAQ requires the wireless access points to be tested by using a wireless analyzer at least quarterly or by deploying a wireless Intrusion Detection System (IDS)/ Intrusion Prevention System (IPS) to identify all wireless devices in use. A wireless scan by an outside source will need to be conducted. To avoid a wireless scan you will need to close your wireless port. If you don t know how to do this, please call your Internet provider or an IT support company. XIX. PCI DSS Requirement 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). A. After any adjustments are made on any POS system or VPN, a scheduled scan will need to be performed. This can be scheduled at by clicking on the scan button. XX. PCI DSS Requirement 12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers. (Service Provider Form and Service Agreement) A. Maintain a list of service providers who would have access to any POS system or to any credit card data. This also includes those individuals or companies which maintain gas pumps. B. Determine with whom you share your customers cardholder data. Be sure to include all other companies or individuals who are not your employees on the Service Provider Form. C. Maintain a written agreement that includes an acknowledgement that the service provider is responsible for the security of cardholder data the service provider s posses. D. Monitor service providers PCI DSS compliance status by requesting a copy of their annual SAQ. 6

7 XXI. PCI DSS Requirement Ensure there is an established process for engaging service providers including proper due diligence prior to engagement. A. Only engage contracted work with industry-approved vendors and check references of such vendors. XXII. PCI DSS Requirement 12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach. A. If a breach occurs, please notify the Petroleum Card Services PROGuard compliance department at x295. If PROGuard is unavailable, please contact Visa Fraud Investigations and Incident Management group immediately at (650) Once you have read and agree to these policies please print and initial the Policy Acknowledgement SAQ C Form and return the form to PCS. You are now ready to continue to take your SAQ. You will need to have your merchant ID number when you continue to take the SAQ. The merchant ID number can be found on your statement, please make sure you have this number available. You will be prompted to enter your Username and Password. The Username is your MID number and the Password will be your five-digit zip code plus your state abbreviation (i.e NV). 7