PCI Data Security and Classification Standards Summary



Similar documents
Managed Hosting & Datacentre PCI DSS v2.0 Obligations

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

General Standards for Payment Card Environments at Miami University

Credit Card Security

PCI DSS Requirements - Security Controls and Processes

Payment Card Industry Data Security Standard

TERMINAL CONTROL MEASURES

Becoming PCI Compliant

PCI DSS requirements solution mapping

Payment Card Industry Compliance

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

CREDIT CARD SECURITY POLICY PCI DSS 2.0

Reducing PCI DSS Scope with the TransArmor First Data TransArmor Solution

Information Security Policy

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

A Rackspace White Paper Spring 2010

Cyber-Ark Software and the PCI Data Security Standard

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Chapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Josiah Wilkinson Internal Security Assessor. Nationwide

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Payment Card Industry (PCI) Data Security Standard. Version 1.1

Payment Card Industry (PCI) Compliance. Management Guidelines

Purpose: To comply with the Payment Card Industry Data Security Standards (PCI DSS)

Payment Card Industry Data Security Standard

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Miami University. Payment Card Data Security Policy

LSE PCI-DSS Cardholder Data Environments Information Security Policy

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

University of Sunderland Business Assurance PCI Security Policy

Implementation Guide

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

How To Complete A Pci Ds Self Assessment Questionnaire

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

Appendix 1 Payment Card Industry Data Security Standards Program

The University of Texas at El Paso

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 3

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

Dartmouth College Merchant Credit Card Policy for Processors

Policies and Procedures

Windows Azure Customer PCI Guide

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Enforcing PCI Data Security Standard Compliance

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Payment Card Industry Self-Assessment Questionnaire

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

CREDIT CARD PROCESSING & SECURITY POLICY

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Technology Innovation Programme

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

New York University University Policies

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

Appendix 1 - Credit Card Security Incident Response Plan

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Frequently Asked Questions

Accepting Payment Cards and ecommerce Payments

Information Technology

ISO PCI DSS 2.0 Title Number Requirement

Credit Card Handling Security Standards

Project Title slide Project: PCI. Are You At Risk?

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

What To Do if Compromised. Visa USA Fraud Investigations and Incident Management Procedures

CREDIT CARD NUMBER HANDLING PROCEDURES POLICY October

PCI DSS 3.1 Security Policy

HIPAA Security Alert

CREDIT CARD PROCESSING POLICY AND PROCEDURES

PCI DSS Requirements Version 2.0 Milestone Network Box Comments. 6 Yes

Transcription:

PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers seek out merchants that are reputable and reliable, they expect assurance that their account information is being guarded and their personal data is safe. Payment Card Industry (PCI) Compliance To comply with regulations concerning credit cards, you must follow the PCI Data Security Standards, which are summarized below. See the actual standards posted on the PCI Standards Council site at https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml. References to policies are addressed at the system level. It is sufficient for each merchant to indicate in their departmental policies that they adopt all policies related to PCI compliance. To the extent a department s policies must differ from these policies, the exception must be clearly justified in the department s policy manual and the exception policy clearly articulated. PCI Data Security Standards Build and maintain a secure network Protect cardholder data Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security Non-technical PCI standards are discussed in greater detail below. All PCI standards are considered requirements, unless otherwise noted. Protect Stored Data Do not store cardholder data unless absolutely necessary. Merchants can obtain cardholder data from Paymentech and credit card accounts should not be included with credit card journals, so most departments should not need to store this information. If it is necessary to store cardholder data, the merchant must follow the requirements below: Page 1 of 7

Keep cardholder information storage to a minimum. Retain data consistent with the system s records retention policy for category 4 data (fiscal records). Shred paper documents using approved destruction methods (minimally cross-cut shredding). Delete electronic files. Destroy (shred, crush or degauss using DoD type overwrite processes) any computer hard drive disposed of that contained credit card data. Do not store sensitive authentication data (CVV2, CVC2, PIN data) subsequent to authorization (not even encrypted). Do not store contents of magnetic stripe on back of card except name, PAN and expiration date. (Both Track 1 and Track 2). Do not store card validation code, which is a three or four digit code on back of card (e.g., CVV2 and CVC2 data). Do not store the PIN Verification Value (PVV). Mask the account number when displayed (first 6 digits and last 4 digits are the maximum number to be displayed). This does not apply to employees who need to see full account number. Render sensitive cardholder data (the account number at a minimum) unreadable anywhere it is stored electronically. (See component Information Technology Division for encryption techniques.) Protect encryption keys against disclosure and misuse. o Restrict access to keys to fewest number of individuals necessary. o Store keys securely in fewest possible locations and forms. Document and implement all encryption key management processes and procedures o Generation of strong keys (only industry tested and accepted algorithms allowed. No proprietary algorithms from vendor products should be accepted). o Secure key distribution. o Secure key storage. o Periodic key changes. Page 2 of 7

o Destruction of old keys. o Split knowledge and dual control of keys (so 2 or 3 people need to work together to reconstruct the entire key). o Prevention of unauthorized substitution of keys. o Replacement of known or suspected compromised keys. o Revocation of old or invalid keys. o Requirement that key custodians sign a form acknowledging their key-custodian responsibilities. Authorization Numbers After successfully processing a transaction, you are returned an authorization number. This is unique per transaction and has no intrinsic value of its own. It is safe to store this value, write it to logs, present it to staff and email it to the customer. Handling Recurring Payments One of the few business reasons for storing credit card numbers is recurring payments. However, you have several responsibilities if you support recurring payments: You must follow the terms of your merchant agreement. Most merchant agreements require you to have original signed standing authorizations from credit card holders. This bit of signed paper will help you if the customer challenges your charges. If you store whole credit card numbers electronically, PCI guidelines require the numbers to be encrypted. Limit the term of the recurring payment to no more than one year, particularly if you have cardholder not present (CNP) transactions. Expunge the credit card details as soon as the agreement is finished. Card-not-present data such as CVV2, CVC2 and PIN numbers cannot be stored for recurring payments. Encrypt Transmission of Cardholder Data and Sensitive Information Across Public Networks Use strong encryption techniques when transmitting cardholder data across public networks. (See component Information Technology Division for encryption techniques.) Never send cardholder data via unencrypted email. Use and Regularly Update Anti-Virus Software Deploy anti-virus mechanisms on all systems commonly affected by viruses (e.g., PC s and servers) that store, process, or transmit credit card information. Page 3 of 7

Ensure all anti-virus mechanisms are current, actively running, and capable of generating audit logs. Restrict Access to Data by Business Need-to-Know Limit access to computing resources and cardholder data to those individuals whose job requires access. Establish a mechanism for systems with multiple users that restricts access based on a user s need to know and is set to deny all unless specifically allowed. Restrict Physical Access to Cardholder Data Use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data. o Use cameras to monitor sensitive areas. Audit this data and correlate with other entries. Store camera data for at least three months, unless otherwise restricted by law. o Restrict physical access to publicly accessible network jacks. o Restrict physical access to wireless access points, gateways, and handheld devices. Develop procedures to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder information is accessible. Make sure all visitors who enter areas where cardholder data is processed or maintained are: o Authorized before entering those areas. o Given a physical token (e.g., badge or access device) that expires, and that identifies them as non-employees. o Asked to surrender the physical token before leaving the facility or at the date of expiration. Where physical tokens are provided to visitors, use a visitor log to retain a physical audit trail of visitor activity. Retain this log for a minimum of three months, unless otherwise restricted by law. Minimally, logs should require name, company and authorizing employee. These logs should be used at entrances to all facilities where cardholder data is stored, processed or transmitted. Store media back-ups, if any, in a secure off-site facility, which may be either an alternate third-party or a commercial storage facility. Page 4 of 7

Physically secure all paper and electronic media (e.g., computers, electronic media, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes) that contain cardholder information. Maintain strict control over the internal or external distribution of any kind of media that contains cardholder information. o Media should be identifiable as confidential based on some process (such as specially coded bar labels, color coded tape media, or other marking which only an employee would understand identifies the media as confidential. o Send the media via secured courier or a delivery mechanism that can be accurately tracked. Ensure management approves all media that is moved from a secured area (especially when media is distributed to individuals). Maintain strict control over the storage and accessibility of media that contains cardholder information: o Properly inventory all media and make sure it is securely stored. Destroy media containing cardholder information when it is no longer needed for business or legal reasons: o Cross-cut shred, incinerate, or pulp hardcopy materials. o Purge, degauss, shred, or otherwise destroy electronic media so that cardholder data cannot be reconstructed. Information Security for Employees and Contractors Develop daily operational security procedures that are consistent with PCI Data Security Standards, such as: o User account maintenance procedures. o Log review procedures. Retain logs consistent with the system s records retention policy for category 2 data (automation records). Ensure the proper use of employee facing technology (such as wireless, Bluetooth, GPRS and modems) by all employees and contractors by ensuring policies address the following: o Explicit management approval. o Authentication for use of the technology. Page 5 of 7

o A list of all such devices and personnel with access. o Labeling of devices with owner, contact information, and purpose. o Acceptable uses of the technology. o Acceptable network locations for these technologies. o A list of company-approved products. o Automatic disconnect of modem sessions after a specific period of inactivity. o Activation of modems for vendors only when needed by vendors, with immediate deactivation after use. o Storage of cardholder data on local hard drives, floppy disks or other external media via cut and paste, screen print and other printing functions is prohibited. Clearly define information security responsibilities for all employees and contractors. Assign to an individual or team the following information security management responsibilities: o Distribute security policies and procedures to appropriate employees. o Monitor and analyze security alerts and information, and distribute to appropriate personnel. o Follow the security incident response and escalation procedures in the Incident Response Plan to ensure timely and effective handling of all situations. o Administer user accounts, including additions, deletions, and modifications. o Monitor and control all access to data.. Make all employees aware of the importance of cardholder information security. Screen potential employees via background checks, police record checks or credit history checks to minimize the risk of attacks from internal sources. Contractually require all third parties and applications with access to cardholder data to adhere to payment card industry security requirements. At a minimum, the agreement should address: o Acknowledgement that the 3rd party is responsible for securing cardholder data to PCI standards while in their possession. o Third parties must be willing to provide evidence on a regular basis to show cardholder data is protected to PCI standards. Page 6 of 7

Adhere to the Incident Response Plan. Be prepared to respond immediately to a system breach. o UHS Information Technology will coordinate an annual test of the incident response plan. o Designate specific personnel to be available on a 24/7 basis to respond to alerts. o Provide appropriate training to staff with security breach response responsibilities. o Include alerts from all appropriate sources to include intrusion detection, intrusion prevention, and file integrity monitoring systems. o The incident response plan will be revised according to lessons learned and to incorporate industry developments. Page 7 of 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information