IT TECHNICAL SECURITY REVIEW CHECKLISTS FOR E-COMMERCE WEBSITES

Transcription

1 IT TECHNICAL SECURITY REVIEW CHECKLISTS FOR E-COMMERCE WEBSITES Currently there are three University approved e-commerce website configurations: (1) MERCHANT-MANAGED E-COMMERCE IMPLEMENTATION (2) SHARED-MANAGEMENT E-COMMERCE IMPLEMENTATION (3) WHOLLY OUTSOURCED E-COMMERCE IMPLEMENTATION This document contains descriptions for each of the above scenarios and checklists to be completed for each configuration, as permissible in accordance with Payment Card Industry Data Security Standards (PCI DSS) and University compliance requirements. Please ensure the correct checklist pertaining to your specific scenario is completed. YOU WILL NOT BE ABLE TO ACCEPT PAYMENT BY CREDIT CARD THROUGH YOUR E-COMMERCE SITE UNTIL TREASURY HAS REVEIWED & SIGNED OFF ON A COMPLETED IT SECURITY CHECKLIST INSTRUCTIONS 2 E-COMMERCE SCENARIO DESCRIPTIONS 3 COMPLETE THIS CHECKLIST FOR SCENARIO 1 6 COMPLETE THIS CHECKLIST FOR SCENARIO 2 OR 3 8 MERCHANT ACKNOWLEDGMENT 11 IT REVIEWER APPROVAL 12 TREASURY APPROVAL 12 Merchants should be familiar with the University's E-commerce policy and how it affects your work in this area. The policy can be found here:

2 INSTRUCTIONS E-commerce processing and application programming must conform to the standards provided within this document and the following Policy and Guidelines: o o o Web Application Security Standards and Practices Credit Card Acceptance & Processing Policy PCI DSS e-commerce Guidelines MERCHANT: NOTE: This form is to be submitted ONLY after the e-commerce site has been configured to the test environment with the test API credentials provided by Treasury when the Merchant Account was set up. (The form may also be required periodically throughout the life of the e-commerce site to provide updated information for recordkeeping purposes). 1. Review the descriptions of all 3 scenarios beginning on the following page to determine the scenario that best describes your e-commerce environment. 2. Complete the checklist applicable to your scenario. 3. Obtain the signature of the Senior Business Officer (SBO) and the IT Custodian responsible for the development and upkeep of the e-commerce site on the Terms Acknowledgement Form (page 11). 4. Submit the completed Checklist, Terms Acknowledgement Form, and any additional required documentation to Treasury at creditcards@columbia.edu. TREASURY: 1. Upon receipt of the completed form, coordinate with a designated IT reviewer to confirm that the site complies with both the University s technical security requirements and the content requirements set forth by this document. 2. Conduct a final review of the site and approve the Form and accompanying documentation. 3. a counter-signed copy of the Form as confirmation that the e-commerce site has been approved. o Upon Treasury approval, the MERCHANT will also receive API credentials for Live processing to replace the test credentials within the form code and redirect the code to the Production Environment endpoint URL so that payments by credit card may begin to be accepted through the approved website. PCI DSS Scoping Guidance: All of the network components that connect systems and/or transmit cardholder data are in scope for PCI DSS. It is important for a merchant to understand exactly where cardholder data flows throughout its network, as well as when and how that data is transmitted to a hosting provider or e-commerce payment processor. For more information about this document or e-commerce policy in general, please creditcards@columbia.edu IT Technical Security Review Checklist for E-Commerce Websites - Revised February 2015 Page 2 of 12

3 E-COMMERCE SCENARIO DESCRIPTIONS For further detailed information on the e-commerce implementations described in this section, please refer to the ecommerce Guidelines document REMEMBER: The following 3 scenarios are the only scenarios currently approved by the University. Please be sure to choose the one that best describes your e-commerce environment. 1) MERCHANT-MANAGED E-COMMERCE IMPLEMENTATION: Websites developed by Columbia University personnel and hosted INSIDE the Columbia University Network. Merchant-managed e-commerce implementations are generally those where the Merchant 1) develops their own payment application, that then re-directs the cardholder to the Gateway / Processor to enter their payment data or 2) uses a commercial payment application provided by a University approved Processor & Gateway Provider. These scenarios are further explained here: ecommerce Guidelines document PCI DSS Scoping Guidance: In general, the merchant s web application and e-commerce infrastructure are in scope for all applicable PCI DSS requirements. Merchants who develop their own e-commerce applications should consider developing the applications using PA-DSS as a best practice to ensure that the applications are developed securely and also help the merchant maintain PCI DSS compliance. These merchants should also consider creating an implementation guide, referring to the PA-DSS Implementation Guide requirements as a model, to provide guidance for internal use such as for installing and maintaining the application in a PCI DSS compliant manner within a PCI DSS compliant environment. For commercial shopping carts/payment applications, it is recommended that they be PA-DSS validated, listed by PCI SSC, and identified as acceptable for new deployments in the listing at the time of purchase. Implementing and using PA-DSS validated applications in accordance with the PA-DSS Implementation Guide will facilitate the PCI DSS assessment process Note that a merchant application is considered to process cardholder data either because the application handles the data before it is submitted to an e-commerce payment processor or during authorization and/or settlement. Web Application Security Standards and Practices If the above scenario describes your e-commerce environment, please complete the checklist beginning on page 6. IT Technical Security Review Checklist for E-Commerce Websites - Revised February 2015 Page 3 of 12

4 E-COMMERCE SCENARIO DESCRIPTIONS, CONT D For further detailed information on the e-commerce implementations described in this section, please refer to the ecommerce Guidelines document 2) SHARED-MANAGEMENT E-COMMERCE IMPLEMENTATION: (*additional documentation required*) Situations wherein the Merchant website is developed by Columbia personnel or a vendor/developer hired by Columbia personnel, and is hosted somewhere OUTSIDE the Columbia University Network. Shared-management e-commerce implementations are those where the Merchant maintains responsibility for some elements of the e-commerce infrastructure. For example, where the e-commerce implementation requires an application or code to be installed onto or delivered through the merchant s site, the Merchant or Merchants hired web developer will be responsible for properly implementing and maintaining that code and for the security of the server on which the code resides, etc. PCI DSS Scoping Guidance: Merchants should understand that outsourcing to a third party via a shared-management implementation does not allow the merchant to outsource PCI DSS responsibility, regardless of whether a merchant is eligible to complete a self-assessment questionnaire (SAQ). With each of these shared-management implementations, there is still security risk for the merchant since weaknesses on the merchant s website can lead to compromise of the payment card data during the transaction process. See Security Considerations for Shared-Management E-commerce Implementations on page 17 of ecommerce Guidelines document for risks specific to each implementation. Due to these risks to a merchant s website and payment card data, even in outsourced scenarios, it is recommended that merchants implement applicable PCI DSS controls as needed to ensure the security of the website. If the above scenario describes your e-commerce environment, please complete the checklist beginning on page 8. IT Technical Security Review Checklist for E-Commerce Websites - Revised February 2015 Page 4 of 12

5 E-COMMERCE SCENARIO DESCRIPTIONS, CONT D For further detailed information on the e-commerce implementations described in this section, please refer to the ecommerce Guidelines document 3) WHOLLY OUTSOURCED E-COMMERCE IMPLEMENTATION: (*additional documentation required*) Situations wherein a Columbia Merchant is using a Third Party web-based application service provider and the website is hosted OUTSIDE the Columbia University Network Many merchants are interested in managing their PCI DSS responsibility by outsourcing all cardholder data storage, processing, and transmission to a third party hosting provider or e-commerce payment processor. In this case, merchants may elect to use a solution provided and hosted by a third party, which is wholly under the control and responsibility of the third party. This type of solution could consist of an e-commerce application, hosted servers, and hosted infrastructure, which are all provided and managed by the third party. A web interface is provided for the merchant to access the third-party site, and to manage the e-commerce store and customers. Outsourcing and manually entering payment data: Many merchants outsource their e-commerce transactions to a PCI DSS compliant service provider. However, in many cases merchants find that they need to continue to process card-present, fax, or mail order/telephone order (MOTO) transactions. For customer-service purposes (e.g., when a consumer s Internet access is unavailable), it is not uncommon for staff at merchant locations to use their existing workstations for access to the merchant s payment gateway and manually enter the transaction for the consumer. The result is that these workstations effectively become virtual terminals when staff use them to enter transactions into a form on a web page either manually or, if the cardholder is present, by swiping or dipping a payment card through a card reader ( wedge ) that is connected to the workstation. Merchants that accept card-present transactions and merchants that have electronic processing or transmission within their facilities may have an extensive PCI DSS scope as a result of manually entering payment data in this manner. To reduce scope for the e-commerce environment in this scenario, consider segmenting the workstations used to manually enter payment data from the rest of the merchant s e-commerce processing environment, at a minimum. Such merchants should consult with the Treasury Dept. (creditcards@columbia.edu) to discuss additional requirements. If the above scenario describes your e-commerce environment, please complete the checklist beginning on page 8. IT Technical Security Review Checklist for E-Commerce Websites - Revised February 2015 Page 5 of 12

6 Complete this Checklist for SCENARIO 1 ONLY MERCHANT MANAGED E-COMMERCE IMPLEMENTATION IT TECHNICAL SECURITY CHECKLIST **A COMPLETED CHECKLIST MUST BE RETURNED TO creditcards@columbia.edu BEFORE TREASURY WILL ACTIVATE ANY MERCHANT ID FOR CREDIT CARD PROCESSING** The following information MUST be provided: (For new Merchant Accounts, the MID will be provided by Treasury upon approval of this form) MID Number (for existing MIDs only): MID DBA: Name of Individual Completing the Form: Main Business Contact (name & ): Web Developer (name & ): Third Party Provider(s) (if applicable): Individual Responsible for maintaining site: *BY CHECKING THE BOXES BELOW, YOU CONFIRM THAT EACH REQUIREMENT HAS BEEN MET* University Policies: You should be familiar with the University s Policies and E-commerce requirements and how each will affect your work in this area. TLS Certificate: If your site allows registration, serves any kind of shopping cart page(s), serves forms that accept name, address and/or any other personal information, or displays subtotal/total cost of merchandise/service, these pages *MUST* be served securely, using a TLS certificate, version 1.2 or later. No version of SSL meets the PCI SSC's definition of "strong cryptography" and all SSL support must be disabled. E-commerce web applications must use encrypted transmission. Provide the URL for your website: Online Payment Form: Columbia's policies clearly state that online payment forms must NOT be served from a University server or from the University network. You must establish a relationship with a University approved third-party provider of E-commerce services: CyberSource or Converge (formerly Virtual Merchant). Payment forms must be served from their domain and their servers. Please provide the URL for the Payment Page (where cardholder data is entered) AND the URL for the Registration Page on your website that contains the link that will re-direct visitors to the payment page. Provide the URL for your REGISTRATION Page: Provide the URL for your PAYMENT Page: IT Technical Security Review Checklist for E-Commerce Websites - Revised February 2015 Page 6 of 12

7 Checklist for SCENARIO 1 Cont d Refund Policy: Every website with an e-commerce function must have a Refund Policy (or link to such policy) clearly posted throughout the site Provide the URL where your Refund Policy is posted: Privacy Policy: Every website with an e-commerce function must have a Privacy Policy (or link to such policy) clearly posted throughout the site. Provide the URL where your Privacy Policy is posted: Contact Information: Every site must provide contact information with a valid customer service phone number and/or , clearly posted on the site. Provide the URL that displays valid contact information: API Credentials Visibility: In the course of building an e-commerce site, the developers must make certain that the API credentials provided by Treasury when the Merchant Account was requested are NOT visible to the client in any way, including in the served source code of the form. These credentials must NEVER be shared outside of the Office of the Treasurer providing them to the Web Developer in a secure manner. These credentials must NEVER be used for any other purpose other than within the required fields of the HTML form code configuration. The API Credentials MUST be updated periodically, (at least annually). Please contact creditcards@columbia.edu for assistance in updating your API credentials. IT Technical Security Review Checklist for E-Commerce Websites - Revised February 2015 Page 7 of 12

8 Complete this Checklist for SCENARIO 2 OR 3 IT TECHNICAL SECURITY CHECKLIST **A COMPLETED CHECKLIST MUST BE RETURNED TO creditcards@columbia.edu BEFORE TREASURY WILL ACTIVATE ANY MERCHANT ID FOR CREDIT CARD PROCESSING** The following information MUST be provided: (For new Merchant Accounts, the MID will be provided by Treasury upon approval of this form) IDENTIFY WHICH SCENARIO (2 or 3) THIS CHECKLIST IS BEING COMPLETED FOR MID Number (for existing MIDs only): MID DBA: Name of Individual Completing the Form: Main Business Contact (name & ): Web Developer (name & ): Third Party Provider(s) (if applicable): Individual Responsible for maintaining site: SCENARIO 2 SHARED-MANAGEMENT E-COMMERCE IMPLEMENTATION SCENARIO 3 WHOLLY OUTSOURCED E-COMMERCE IMPLEMENTATION *BY CHECKING THE BOXES BELOW, YOU CONFIRM THAT EACH REQUIREMENT HAS BEEN MET* University Policies: You should be familiar with the University s Policies and E-commerce requirements and how each will affect your work in this area. TLS Certificate: If your site allows registration, serves any kind of shopping cart page(s), serves forms that accept name, address and/or any other personal information, or displays subtotal/total cost of merchandise/service, these pages *MUST* be served securely, using a TLS certificate, version 1.2 or later. No version of SSL meets the PCI SSC's definition of "strong cryptography" and all SSL support must be disabled. E-commerce web applications must use encrypted transmission. Provide the URL for your website: Refund Policy: Every website with an e-commerce function must have a Refund Policy (or link to such policy) clearly posted throughout the site Provide the URL where your Refund Policy is posted: IT Technical Security Review Checklist for E-Commerce Websites - Revised February 2015 Page 8 of 12

9 Checklist for SCENARIO 2 or 3 Cont d Online Payment Form: Columbia's policies clearly state that online payment forms must NOT be served from a University server, from the University network or from non-pci Compliant 3 rd Party servers or infrastructure. If your 3 rd party hosting vendor provides written documentation that your site is being hosted on a PCI compliant infrastructure, then you may elect to keep your online payment form integrated with the rest of your website. If not, you must establish a relationship with an approved third-party provider of E-commerce services: CyberSource or Converge (formerly Virtual Merchant). Payment forms must be served from their domain and their servers. Please provide the URL for the Payment Page (where cardholder data is entered) AND the URL for the Registration Page on your website that contains the link that will re-direct visitors to the payment page. Provide the URL for your REGISTRATION Page: Provide the URL for your PAYMENT Page: Privacy Policy: Every website with an e-commerce function must have a Privacy Policy (or link to such policy) clearly posted throughout the site. Provide the URL where your Privacy Policy is posted: Contact Information: Every site must provide contact information with a valid customer service phone number and/or , clearly posted on the site. Provide the URL that displays valid contact information: API Credentials Visibility: In the course of building an e-commerce site, the developers must make certain that the API credentials provided by Treasury when the Merchant Account was requested are NOT visible anywhere in the source code of the form. These credentials must NEVER be shared outside of the Office of the Treasurer providing them to the Web Developer in a secure manner. These credentials must NEVER be used for any other purpose other than within the required fields of the HTML form code configuration. The API Credentials MUST be updated periodically, (at least annually). Please contact creditcards@columbia.edu for assistance in updating your API credentials. IT Technical Security Review Checklist for E-Commerce Websites - Revised February 2015 Page 9 of 12

10 Checklist for SCENARIO 2 or 3 Cont d Checking this box confirms the 3rd party website is hosted at a PCI-compliant hosting facility on a PCI-compliant infrastructure and you are permitted to keep your payment page(s) integrated with your website. In this case, the provider of the website hosting vendor must provide written documentation that their application, and the infrastructure which serves it, meets all aspects of current PCI-DSS compliance. E- commerce web applications must use TLS V 1.2 or later, encrypted transmission. You must confirm this BEFORE you sign any agreement to contract services from them. If your website hosting vendor cannot or will not provide written documentation that their application and the infrastructure which it serves meets all aspects of PCI-DSS and PA-DSS compliance, then you will need to separate your payment page(s) from the rest of your website or find another vendor. Service Provider is listed on either the following lists: Click here for the Visa Global Registry of Service Providers Click Here for the MasterCard Compliant Service Provider List Copy of Agreement with Service Provider is attached Copy of Service Provider s Attestation of Compliance, (et. al) is attached. Diagram of process flow of payment data throughout your entire e-commerce environment is attached. IT Technical Security Review Checklist for E-Commerce Websites - Revised February 2015 Page 10 of 12

11 MERCHANT ACKNOWLEDGMENT This section must be completed & signed by IT Custodian responsible for the development & upkeep of the e-commerce site. The configuration of the Merchant s e-commerce site referenced within this checklist adheres to the guidelines and policy requirements provided throughout this document. I understand that all API credentials are unique pieces of information, specifically associated with the Payment Gateway account. And these values are only required when setting up an Internet connection between an e-commerce website and the Merchants Payment Gateway. They are used by the Payment Gateway to authenticate that the Merchant is authorized to submit website transactions. And I understand these values must be kept secure and never shared after receiving them securely from the CU Office of the Treasurer. I agree to coordinate with Treasury to update the API credentials regularly (at least annually) to further strengthen the security of the Merchant s Payment Gateway account. Treasury will be notified anytime there are changes in the configuration of the e-commerce site, or the Merchant s website environment as a whole, as it may have significant impact on the scope of the Cardholder Data Environment (CDE). Copies of all documentation for any Third Party Service Providers (TPSP) has been provided to Treasury (creditcards@columbia.edu) Printed Name: Signature: Date: This Section Must Be Completed & Signed By SENIOR BUSINESS OFFICER (SBO): Citrix Client: For every employee/user needing access to process or view transaction activity through any Payment Gateway; the appropriate User Form for card-not-present environments has been submitted to creditcards@columbia.edu to obtain authorized access. Citrix will create a protected browser session which will eliminate the possibility of copy/paste functions from the browser session to other applications of the computer. Completion of payment transactions through any Payment Gateway must only be accessible via the Citrix client. I agree to contact the Office of the Treasurer if any Payment Gateway appears to be accessible outside of the Citrix environment. By checking this box the SBO agrees to keep the information and URL's within this checklist up to date with the Office of the Treasurer by notifying creditcards@columbia.edu of any and all changes, which includes notification of when these URL's are no longer active. Additionally, the SBO agrees that all relevant policies have been reviewed and applied to this e-commerce implementation project. Printed Name: Signature: Date: IT Technical Security Review Checklist for E-Commerce Websites - Revised February 2015 Page 11 of 12

12 IT REVIEWER APPROVAL By checking this box and signing below, the IT reviewer confirms that they have reviewed the URLs provided within the attached IT Technical Security Checklist and agree that each of the e-commerce Technical & Content Requirements have been fulfilled. By checking this box the IT Reviewer has determined that one or more items need attention (see notes). NOTES: IT REVIEWER SIGNATURE: TITLE: PRINTED NAME: DATE: TREASURY APPROVAL By checking this box and signing below, Treasury has confirmed that all requirements have been met and all necessary supplemental documentation has been provided. By checking this box Treasury has determined that additional information must be provided (see notes). NOTES: TREASURY REVIEWER SIGNATURE: TITLE: PRINTED NAME: DATE: IT Technical Security Review Checklist for E-Commerce Websites - Revised February 2015 Page 12 of 12