Policies and Procedures



Similar documents
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

PCI DSS Requirements - Security Controls and Processes

New York University University Policies

Becoming PCI Compliant

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

University of Sunderland Business Assurance PCI Security Policy

Credit Card Security

General Standards for Payment Card Environments at Miami University

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Technology Innovation Programme

Implementation Guide

CREDIT CARD SECURITY POLICY PCI DSS 2.0

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Payment Card Industry (PCI) Compliance. Management Guidelines

Payment Card Industry Self-Assessment Questionnaire

PCI COMPLIANCE GUIDE For Merchants and Service Members

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

74% 96 Action Items. Compliance

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Accepting Payment Cards and ecommerce Payments

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

PCI DSS requirements solution mapping

TERMINAL CONTROL MEASURES

PCI Data Security and Classification Standards Summary

Qualified Integrators and Resellers (QIR) Implementation Statement

Catapult PCI Compliance

Did you know your security solution can help with PCI compliance too?

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Achieving PCI-Compliance through Cyberoam

Reducing PCI DSS Scope with the TransArmor First Data TransArmor Solution

Office of Finance and Treasury

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

SonicWALL PCI 1.1 Implementation Guide

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

Enforcing PCI Data Security Standard Compliance

How To Complete A Pci Ds Self Assessment Questionnaire

Viterbo University Credit Card Processing & Data Security Procedures and Policy

GFI White Paper PCI-DSS compliance and GFI Software products

Payment Card Industry Compliance

Purpose: To comply with the Payment Card Industry Data Security Standards (PCI DSS)

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Information Technology

Payment Card Industry Data Security Standard

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Visa Asia Pacific Account Information Security (AIS) Program Payment Application Best Practices (PABP)

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

Josiah Wilkinson Internal Security Assessor. Nationwide

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Introduction. PCI DSS Overview

Presented By: Bryan Miller CCIE, CISSP

Credit Card Handling Security Standards

Windows Azure Customer PCI Guide

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 3

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Payment Card Industry Data Security Standard Self-Assessment Questionnaire B-IP Guide

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE WORKBOOK. PCI SAQ TYPE C-VT Level 4. Virtual Terminals

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Payment Card Industry Data Security Standard

Dartmouth College Merchant Credit Card Policy for Processors

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

How To Protect Your Data From Being Stolen

Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for AIX

March

Policy for Protecting Customer Data

A Rackspace White Paper Spring 2010

Miami University. Payment Card Data Security Policy

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

Payment Card Industry (PCI) Data Security Standard. Version 1.1

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

What To Do if Compromised. Visa USA Fraud Investigations and Incident Management Procedures

Information Security Policy

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Why Is Compliance with PCI DSS Important?

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

Project Title slide Project: PCI. Are You At Risk?

PCI Data Security Standards

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Transcription:

Policies and Procedures Provided by PROGuard The following are policies and procedures which need to be enforced to ensure PCI DSS compliance. In order to answer yes to the questions and pass the SAQ, it is imperative that you review, understand, and enforce the policies and procedures outlined below. If you have any questions, please contact ProGuard at 1-866-427-7297 x295. I. Ensure that all employees have been trained and educated on the policies and procedures. Each employee is to sign the Employee Acknowledgement. (Employee Compliance Form) II. PCI DSS Requirement 1 Install and maintain a firewall configuration to protect cardholder data. A. Please see attached diagram to identify how your network looks. A VPN (Datawire) is required by the processor to process over the Internet. A basic diagram is provided with and without a router. Please print out the diagram that identifies your network and keep it in your compliance binder. III. PCI DSS Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters. A. All passwords are changed by management and new ones are assigned to authorized personnel. NOTE: Question 2.1.1(a) and 2.1.1(b) of the SAQ refers to wireless operations, if you do not use a wireless system answer the question N/A. When you finish the questionnaire a box will pop in which you must write in an explanation about your answer. An example would be no wireless at our location. 2.3 Ensure that your router setting has disabled HTTP or TELNET. IV. PCI DSS Requirement 3.2 All systems must adhere to the following requirements regarding storage of sensitive authentication data after authorization (even if encrypted). A. POS systems are to be updated with the most current version of software that is provided by the manufacturer which does not store the full contents of any track from the magnetic stripe (located 1

on the back of a card, contained in a chip, or elsewhere). Document all software upgrades on the Processing Equipment Maintenance Form. B. Do not store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions and do not store the personal identification number (PIN) or the encrypted PIN block. V. PCI DSS Requirement 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). A. Truncation is performed by the POS system. B. If using a paper imprinter slip as a backup method and the document is to be stored, then all digits except the last four must be blacked out. VI. PCI DSS Requirement 4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. A. All data transmitted uses strong cryptography which is provided by the POS device. In addition, the POS device is connected to the service provider via a VPN. In some cases an additional device is used to further the encryption (Datawire). VII. PCI DSS Requirement 4.2 Never send unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat). A. When absolutely necessary to send cardholder data, other personally identifiable information, or other sensitive information via messaging technologies (including text or email), appropriate measures are taken to block out or remove the cardholder information, other personally identifiable information, or that the communicated sensitive information is rendered useless. VIII. PCI DSS Requirement 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). A. All computers connected to the in-house network are to be updated with the most up-to-date antivirus software and/or programs. (This includes sharing the router with the POS system). 2

IX. PCI DSS Requirement 6.1 Ensure that all system components and software have the latest vendorsupplied security patches installed. Install critical security patches within one month of release. A. As required by PCI DSS Requirement 3.2, systems are to be upgraded with the latest software and security patches within one month of release. X. PCI DSS Requirement 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. A. Each employee is given their own unique access code for POS or stand alone terminals which are to restrict the fields in which they have access. B. Employees are instructed not to share cardholder information with other employees unless deemed necessary by a supervisor. XI. PCI DSS Requirement 8.0 Assign a unique ID to each person with access to a computer, POS system or stand alone terminal. A. Assign all users a unique username before allowing them to access system components or cardholder data. B. In addition to assigning a unique ID, employ one of the following methods to authenticate all users: 1) Password or passphrase. C. Render all passwords unreadable during transmission and storage on all system components using strong cryptography based on approved standards. D. Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows: 1) Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. 2) Verify user identity before performing password resets. 3) Set first-time passwords to a unique value for each user and change immediately after the first use. 4) Immediately revoke access for any terminated users. 5) Remove/disable inactive user accounts at least every 90 days. 6) Enable accounts used by vendors for remote maintenance only during the time period needed. 7) Communicate password procedures and policies to all users who have access to cardholder data. 3

8) Do not use group, shared, or generic accounts and passwords. 9) Change user passwords at least every 90 days. 10) Require a minimum password length of at least seven characters. 11) Use passwords containing both numeric and alphabetic characters. 12) Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used. 13) Limit repeated access attempts by locking out the user ID after not more than six attempts. 14) Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID. 15) If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal. 16) Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users. XII. PCI DSS Requirement 9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. (POS Maintenance Form, POS and Terminal Inspection Form); (Additional For Gas Stations: Pump and Site Inspection Form, Pump Key Form, and Pump Maintenance Form, POS and Terminal Inspection Form) A. Restricted areas are appropriately identified by signage (i.e. authorized personnel only). B. All keys are to be unique to your site. C. A POS/Counter top Maintenance Form is to be completed when maintenance is done to any POS/Counter top terminal. D. Inspect terminals/pos to ensure no unauthorized cables have been attached or the terminal/pos has not been tampered with. For Gas Stations: E. If you accept cards at the pump, a daily pump and site inspection is to be done to ensure pump security. F. Use the Pump Key Form and the Pump Maintenance Form when pumps are accessed or serviced. XIII. PCI DSS Requirement 9.6 Physically secure all paper and electronic media that contain cardholder data. (Cardholder Data Form) A. Locate all paper documents (including receipts, notes, reports and faxes) and all electronic storage data such as cds, backup tapes, thumb drives, hard drives and credit/debit card processing machines which contain your customers full credit/debit card numbers. B. Determine if it is necessary to keep any paper or electronic data that contains your customers full credit/debit card numbers. We strongly recommend you do not keep any documents with the 16 4

digit number unless absolutely necessary. If you do have any on file, please ask yourself, Why do I need to keep this? C. If necessary for business purposes to store this data, the following rules apply: o If it is portable, electronic storage, it must be stored in a locked cabinet. o Any electronically stored data must be password secured. o A Form must be kept documenting how the cardholder data is stored and secured. XIV. PCI DSS Requirement 9.7 Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data. (Media Removal Form) A. All material moved from the secure area is marked confidential, documented on the Media Removal Data Form and transported by a document service such as Fed Ex or U.S. Post Office with a tracking number. XV. PCI DSS Requirement 9.8 Ensure management approves any and all media containing cardholder data that is moved from a secured area (especially when media is distributed to individuals). A. No material containing cardholder data is to leave the premises without the permission of management. XVI. PCI DSS Requirement 9.9 Maintain strict control over the storage and accessibility of media that contains cardholder data. A. All sensitive data is to be kept in a file or secured area which is accessible by management only. B. The file cabinet or safe containing confidential information is to be locked during business hours as well as after hours. XVII. PCI DSS Requirement 9.10 Destroy media containing cardholder data when it is no longer needed for business or legal reasons. (Media Destruction Form) A. Requirement 9.10.1 Shred, incinerate, or pulp hard copy materials so that cardholder data cannot be reconstructed. B. Document the description of the storage data you are destroying, the date and method of destruction on the Media Destruction Form. 5

C. Management is to sign and date the Form and it is to be kept in the Compliance Binder. XVIII. PCI DSS Requirement 11.1 Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use. A. If wireless is in use, it is to be a closed network with the latest security protocols installed with no signal access from outside the building. NOTE: Wireless has been identified as a high security risk. If you have a wireless router, question 11.1 of the SAQ requires the wireless access points to be tested by using a wireless analyzer at least quarterly or by deploying a wireless Intrusion Detection System (IDS)/ Intrusion Prevention System (IPS) to identify all wireless devices in use. A wireless scan by an outside source will need to be conducted. To avoid a wireless scan you will need to close your wireless port. If you don t know how to do this, please call your Internet provider or an IT support company. XIX. PCI DSS Requirement 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). A. After any adjustments are made on any POS system or VPN, a scheduled scan will need to be performed. This can be scheduled at www.petropci.com by clicking on the scan button. XX. PCI DSS Requirement 12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers. (Service Provider Form and Service Agreement) A. Maintain a list of service providers who would have access to any POS system or to any credit card data. This also includes those individuals or companies which maintain gas pumps. B. Determine with whom you share your customers cardholder data. Be sure to include all other companies or individuals who are not your employees on the Service Provider Form. C. Maintain a written agreement that includes an acknowledgement that the service provider is responsible for the security of cardholder data the service provider s posses. D. Monitor service providers PCI DSS compliance status by requesting a copy of their annual SAQ. 6

XXI. PCI DSS Requirement 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement. A. Only engage contracted work with industry-approved vendors and check references of such vendors. XXII. PCI DSS Requirement 12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach. A. If a breach occurs, please notify the Petroleum Card Services PROGuard compliance department at 1-866-427-7297 x295. If PROGuard is unavailable, please contact Visa Fraud Investigations and Incident Management group immediately at (650) 432-2978. Once you have read and agree to these policies please print and initial the Policy Acknowledgement SAQ C Form and return the form to PCS. You are now ready to continue to take your SAQ. You will need to have your merchant ID number when you continue to take the SAQ. The merchant ID number can be found on your statement, please make sure you have this number available. You will be prompted to enter your Username and Password. The Username is your MID number and the Password will be your five-digit zip code plus your state abbreviation (i.e. 89423NV). 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information