This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.



Similar documents
PCI Data Security and Classification Standards Summary

CREDIT CARD SECURITY POLICY PCI DSS 2.0

Accounting and Administrative Manual Section 100: Accounting and Finance

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Miami University. Payment Card Data Security Policy

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

General Standards for Payment Card Environments at Miami University

University of Sunderland Business Assurance PCI Security Policy

Controls for the Credit Card Environment Edit Date: May 17, 2007

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Chapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents

PCI DSS requirements solution mapping

A Rackspace White Paper Spring 2010

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

Payment Card Industry (PCI) Data Security Standard. Version 1.1

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Payment Card Industry (PCI) Data Security Standard. Version 1.1

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

PCI DSS Requirements - Security Controls and Processes

Payment Card Industry Compliance

PCI Requirements Coverage Summary Table

Cyber Self Assessment

Information Security Policy

TERMINAL CONTROL MEASURES

LSE PCI-DSS Cardholder Data Environments Information Security Policy

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Supplier Information Security Addendum for GE Restricted Data

Payment Card Industry Self-Assessment Questionnaire

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Huddersfield New College Further Education Corporation

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

PCI Requirements Coverage Summary Table

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

74% 96 Action Items. Compliance

b. USNH requires that all campus organizations and departments collecting credit card receipts:

Data Management Policies. Sage ERP Online

California State University, Sacramento INFORMATION SECURITY PROGRAM

Symposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

PCI DSS 3.1 Security Policy

STATE OF NEW JERSEY IT CIRCULAR

Client Security Risk Assessment Questionnaire

Payment Card Industry Data Security Standard

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Payment Card Industry (PCI) Compliance. Management Guidelines

GFI White Paper PCI-DSS compliance and GFI Software products

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Windows Azure Customer PCI Guide

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

The University of Texas at El Paso

Payment Card Industry Data Security Standard

San Jose Airport Diane Mack-Williams SJC Airport Technology Services ACI NA San Diego, 15th October 2011

Information security controls. Briefing for clients on Experian information security controls

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

Attachment A. Identification of Risks/Cybersecurity Governance

PCI and PA DSS Compliance Assurance with LogRhythm

PII Compliance Guidelines

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

March

New York University University Policies

HIPAA Security Alert

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Introduction. PCI DSS Overview

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

Security Management. Keeping the IT Security Administrator Busy

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

PCI v2.0 Compliance for Wireless LAN

Information Security Program Management Standard

BRAND-NAME is What COUNTS!!!

Did you know your security solution can help with PCI compliance too?

Document No.: VCSATSP Restricted Data Access Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Access Policy

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

Office of Finance and Treasury

SonicWALL PCI 1.1 Implementation Guide

University Policy Accepting and Handling Payment Cards to Conduct University Business

USC Data Security Requirements (Standards) Guidelines for Compliance Revised 05-Jan-2015

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Achieving PCI-Compliance through Cyberoam

ISO PCI DSS 2.0 Title Number Requirement

PCI implementation guide for L-POS

Purpose: To comply with the Payment Card Industry Data Security Standards (PCI DSS)

Top 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services

Information about this New Document

CREDIT CARD PROCESSING POLICY AND PROCEDURES

Andy s Burgers Shakes & Fries. PCI-DSS Policy

Transcription:

- 1. Policy Statement All card processing activities and related technologies must comply with the Payment Card Industry Data Security Standard (PCI-DSS) in its entirety. Card processing activities must be conducted as described herein and in accordance with the standards and procedures listed in the Related Documents section of this Policy. No activity may be conducted nor any technology employed that might obstruct compliance with any portion of the PCI-DSS. This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment. 2. Applicability and Availability This policy applies to all employees. (12.1) Relevant sections of this policy apply to vendors, contractors, and business partners. 3. Policy Requirements (2.2.a) Configuration standards must be maintained for applications, network components, critical servers, and wireless access points. These standards must be consistent with industry-accepted hardening standards as defined, for example, by SysAdmin Assessment Network Security Network (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS). [2.2.b should be captured in your system configuration standard; 2.2.c and 2.2.3.b should be covered in your procedure for new server set-up] Configuration standards must include: (5.2) updating of anti-virus software and definitions (6.1.b) provision for installation of all relevant new security patches within 30 days (8.5.8.b) prohibition of group and shared passwords

2 Viterbo University (9.7) Distribution, maintenance, and storage of media containing cardholder data, must be controlled, including that distributed to individuals. (9.9) Procedures must include periodic media inventories in order to validate the effectiveness of these controls. (3.1) Procedures for data retention and disposal must be maintained by each department and must include the following: legal, regulatory, and business requirements for data retention, including specific requirements for retention of cardholder data provisions for disposal of data when no longer needed for legal, regulatory, or business reasons, including disposal of cardholder data coverage for all storage of cardholder data, including database servers, mainframes, transfer directories, and bulk data copy directories used to transfer data between servers, and directories used to a programmatic (automatic) process to remove, at least on a quarterly basis, stored cardholder data that exceeds business retention requirements, or, alternatively, an audit process, conducted at least on a quarterly basis, to verify that stored cardholder data does not exceed business retention requirements (9.10) destruction of media when it is no longer needed for business or legal reasons as follows: o cross-cut shred, incinerate, or pulp hardcopy materials o purge, degauss, shred, or otherwise destroy electronic media such that data cannot be reconstructed (3.3) Credit card numbers must be masked when displaying cardholder data. Those with a need to see full credit card numbers must request an exception to this policy using the exception process. (4.2.b) Unencrypted Primary Account Numbers may not be sent via email (7.1) Procedures for data control must be maintained by each department and must incorporate the following: Access rights to privileged User IDs are restricted to least privileges necessary to perform job responsibilities Assignment of privileges is based on individual personnel s job classification and function Requirement for an authorization form signed by management that specifies required privileges Implementation of an automated access control system

3 Viterbo University - (12.3) For critical employee-facing technologies, departmental procedures shall require: (12.3.1) explicit management approval to use the devices (12.3.2) that all device use is authenticated with username and password or other authentication item (for example, token) (12.3.3) a list of all devices and personnel authorized to use the devices (12.3.4) labeling of devices with owner, contact information, and purpose (12.3.8) automatic disconnect of modem sessions after a specific period of inactivity (12.3.9) activation of modems used by vendors only when needed by vendors, with immediate deactivation after use Departmental usage standards shall include: (12.3.5) acceptable uses for the technology (12.3.6) acceptable network locations for the technology (12.3.7) a list of company-approved products (12.3.10) prohibition of the storage of cardholder data onto local hard drives, floppy disks, or other external media when accessing such data remotely via modem (12.3.10) prohibition of use of cut-and-paste and print functions during remote access Chief Security Officer (VP of Finance and Adminstration) (12.5) Chief Security Officer (or equivalent) is responsible for overseeing all aspects of information security, including but not limited to: (12.5.1) creating and distributing security policies and procedures (12.5.2) monitoring and analyzing security alerts and distributing information to appropriate information security and business unit management personnel (12.5.3) (12.9) creating and distributing security incident response and escalation procedures that include: (12.9.1) roles, responsibilities, and communication (12.9.1) coverage and responses for all critical system components (12.9.1) notification, at a minimum, of credit card associations and acquirers (12.9.1) strategy for business continuity post compromise (12.9.1) reference or inclusion of incident response procedures from card associations (12.9.1) analysis of legal requirements for reporting compromises (for example, per California bill 1386)

4 Viterbo University (12.9.2) annual testing (12.9.3, 12.9.5) designation of personnel to monitor for intrusion detection, intrusion prevention, and file integrity monitoring alerts on a 24/7 basis (12.9.4) plans for periodic training (12.9.6) a process for evolving the incident response plan according to lessons learned and in response to industry developments (12.6; 12.6.1.a) maintaining a formal security awareness program for all employees that provides multiple methods of communicating awareness and educating employees (for example, posters, letters, meetings) (10.6.a) review security logs at least daily and follow-up on exceptions (12.2.a) The Information Technology Office (or equivalent) shall maintain daily administrative and technical operational security procedures that are consistent with the PCI-DSS (for example, user account maintenance procedures, and log review procedures). System and Application Administrators System and Application Administrators shall: (12.5.2) monitor and analyze security alerts and information and distribute to appropriate personnel (12.5.4) administer user accounts and manage authentication (12.5.5) monitor and control all access to data (12.10.1) maintain a list of connected entities (12.10.2) perform due diligence prior to connecting an entity, with supporting documentation (12.10.3, 12.4) verify that the entity is PCI-DSS compliant, with supporting documentation (12.10.4) establish a documented procedure for connecting and disconnecting entities (10.7.a ) retain audit logs for at least one year Department Heads Department Heads (or equivalent) is responsible for tracking employee participation in the security awareness program, including: (12.6.1.b) facilitating participation upon hire and at least annually (12.6.2) ensuring that employees acknowledge in writing that they have read and understand the company s information security policy (12.7) screen potential employees to minimize the risk of attacks from internal sources Internal Audit Internal Audit (or equivalent) is responsible for executing a (12.1.2) risk assessment process that identifies threats, vulnerabilities, and results in a formal risk assessment.

5 Viterbo University General Counsel General Counsel (or equivalent) will ensure that for service providers with whom cardholder information is shared: (12.8.1, 12.4) contracts require adherence to PCI-DSS by the service provider (12.8.2, 12.4) contracts include acknowledgement or responsibility for the security of cardholder data by the service provider

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information