Payment Card Industry Data Security Standard



Similar documents
PCI DSS Requirements - Security Controls and Processes

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Becoming PCI Compliant

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

University of Sunderland Business Assurance PCI Security Policy

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Passing PCI Compliance How to Address the Application Security Mandates

Teleran PCI Customer Case Study

74% 96 Action Items. Compliance

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Credit Card Security

GFI White Paper PCI-DSS compliance and GFI Software products

General Standards for Payment Card Environments at Miami University

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Payment Card Industry Self-Assessment Questionnaire

Presented By: Bryan Miller CCIE, CISSP

PCI Data Security and Classification Standards Summary

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

A Rackspace White Paper Spring 2010

PCI Data Security Standards

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

March

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Your Compliance Classification Level and What it Means

Security standards PCI-DSS, HIPAA, FISMA, ISO End Point Corporation, Jon Jensen,

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Achieving PCI-Compliance through Cyberoam

Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Enforcing PCI Data Security Standard Compliance

Josiah Wilkinson Internal Security Assessor. Nationwide

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

CREDIT CARD SECURITY POLICY PCI DSS 2.0

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Did you know your security solution can help with PCI compliance too?

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

LogRhythm and PCI Compliance

Information Technology

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Continuous compliance through good governance

PCI Requirements Coverage Summary Table

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Complying with PCI Data Security

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

PCI DSS 3.1 Security Policy

PCI DSS v2.0. Compliance Guide

Vanderbilt University

SonicWALL PCI 1.1 Implementation Guide

PCI DSS Compliance Guide

Credit Card Handling Security Standards

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Why Is Compliance with PCI DSS Important?

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

PCI Requirements Coverage Summary Table

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.1

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Windows Azure Customer PCI Guide

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

Implementation Guide

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Information Resources Security Guidelines

Payment Card Industry (PCI) Compliance. Management Guidelines

Payment Card Industry Compliance

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Accepting Payment Cards and ecommerce Payments

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

ISO PCI DSS 2.0 Title Number Requirement

An Oracle White Paper January Using Oracle Enterprise Manager Configuration Management Pack for PCI Compliance

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

PCI and PA DSS Compliance Assurance with LogRhythm

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Policies and Procedures

Cyber-Ark Software and the PCI Data Security Standard

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

Transcription:

Payment Card Industry Data Security Standard Introduction Purpose Audience Implications Sensitive Digital Data Management In an effort to protect credit card information from unauthorized access, disclosure and compromise, the Payment Card Industry (PCI), i.e., Visa, MasterCard, American Express, JCB and Discover, formed a security standards council that is charged with creating and maintaining mandatory standards which are designed to assist with properly securing payment card data that is processed, transmitted or stored by an organization. This document sets minimum baseline security requirements for all personnel and information systems which process, store or transmit payment card data. All UTMB faculty, staff and students, who process, maintain and access payment card data, or maintain an information resource that processes, stores or transmits payment card data are required to comply with this practice standard. Any deviation (security degradation) from this standard requires approval from the Office of Information Security. Exception can be requested at http://www.utmb.edu/infosec. All data owners and system custodians who maintain information resources that store, process and/transmit card holder data is required to comply with the Payment Card Industry, Data Security Standard (PCI-DSS) The Office of Information Security shall assess PCI-DSS implemented security controls for effectiveness, and submit an attestation of PCI DSS compliance annually, to the Associate Vice President of Finance and Global Payments. UTMB Information Resource users are required to protect Sensitive Digital Data in accordance with UTMB Standard 1.2.10 Managing Sensitive Digital Data. Sensitive Digital Data, as defined by UTS 165, includes social security numbers, Protected Health Information (PHI), Sensitive Research Data, digital Data associated with an individual and/or digital Data protected by law. Sensitive digital Data must be secured and protected while at rest (electronic storage on a hard drive, digital or optical media), mobile (laptop, PDA or flash drive) and in transit (via email or the Internet). Page 1 of 4

ADMINISTRATIVE REQUIREMENTS Departments and personnel who process payment card data shall adhere to the following requirements: Only departments who have a UTMB merchant ID through Global Payments are authorized to collect, process, store, or transmit payment card data. Departments will not store any of the following cardholder information (even if encrypted): o Full Magnetic Stripe o CAV2/CVC2/CVV2/CID o PIN/PIN Block o Full 16 Digit Personal Account Number (PAN) Departments may store the following cardholder s information if a business need exists: o PAN s, as long as it s rendered unreadable through truncation o Cardholders name o Service code o Expiration date Limit the storage of payment card data to the department s data retention schedule. Unnecessary stored data will be purged at least quarterly. Payment card data shall only be stored, processed or transmitted from institutional systems that are secured in accordance with this practice standard. Payment card data shall not be stored on any personally owned device, desktop computers, to include a UTMB owned desktops, or any portable computing device. Additionally, Payment card data shall not be copied to, or stored on any type of removable media, i.e., CD-ROM, DVD s, flash drives, etc., unless it is a integrated component of an institutional system, i.e., tape backup. When transmitting payment card data over an open public network. i.e., the internet. It must be secured using a minimum of 128 bit encryption. Payment card data shall not be transmitted using end-user messaging technologies. i.e., email (even if encrypted). Limit access to payment card data to personnel whose job duties require such access. All users accessing payment card data shall have a user account created and managed using practice standard 1.2.1, Account Management. To minimize the risk of malicious compromises from internal sources, hiring authorities, working in conjunction with the Department of Human Resources, shall screen potential personnel (to include contractors) prior to hire. Example screening includes previous employment history, criminal record, credit history, and reference checks. Page 2 of 4

CUSTODIAL REQUIREMENTS System custodians responsible for information resources that process, store and/or transmit payment card data are required to adhere to the following requirements: Secure all information resources in accordance with practice standard 1.1.5, Platform Hardening. Payment card data must be encrypted when transmitting over an open public network. i.e., the Internet. Transportation protocols, including Transport Layer Security (TLS) and Secure Socket Layer (SSL), shall be configured using a minimum of 128 bit encryption. Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Critical patches shall be deployed within a month of release. All software applications (internal and external, and including web-based administrative access) shall be developed in accordance with the Payment Card Industry, Data Security Standard (PCI DSS) and based on industry best practices. Information security shall be incorporated throughout the software development life cycle. All changes to information resources shall be approved and documented in accordance with practice standard 1.3.1, Change Management. Physically secure all information resources in accordance with practice standard 1.2.6, Physical Access. Backup Information resources in accordance practice standard 1.3.2, Backup/Recovery. Deploy file integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files or content files. The software will be configured to perform critical file comparisons at least weekly. Enable automated audit trails so that the following events can be reconstructed: o all individual user accesses to cardholder data o all actions taken by any individual with root or administrative privileges o access to all audit trails o invalid logical access attempts o use of identification and authentication mechanisms o initialization of the audit logs o creation and deletion of system-level objects Page 3 of 4

Record audit trail entries for all system components for each event, including at a minimum: o user identification o type of event o date and time o success or failure indication o origination of event o identity or name of affected data o system component or resource Using time synchronization technology, synchronize all critical system clocks and times Secure audit trails so they cannot be altered NETWORK AND SECURITY REQUIREMENTS The Information Services, Network and Security Department shall adhere to the following requirements. Assist custodians in configuring systems to transmit security events and audit logs to the enterprise security information manager. Review logs for all system components related to security functions at least daily. Retain audit trail history for at least one year; at least three months of history must be immediately available for analysis. Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis. Perform internal and external network vulnerability scans at least quarterly and after any significant change in the network. Perform external and internal penetration testing, including network- and application-layer penetration tests, at least annually and after any significant infrastructure or application upgrade or modification. Use network intrusion detection systems and/or intrusion prevention systems to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment, and alert personnel to suspected compromises. IDS/IPS engines, baselines, and signatures must be kept up to date. Page 4 of 4

Disciplinary Actions INFORMATION SECURITY OFFICER REQUIREMENTS The Information Security Officer shall adhere to the following requirements. Establish, publish, maintain, and disseminate a security policy that addresses all PCI DSS requirements, including an annual process for identifying vulnerabilities and formally assessing risks, and includes a review at least once a year and when the environment changes. Engage an Approved Scanning Vendor (ASV) to perform quarterly external vulnerability scans. Develop daily operational security procedures that are consistent with requirements in PCI DSS. Develop usage policies for critical technologies to define their proper use by all personnel. These include remote access, wireless, removable electronic media, laptops, tablets, handheld devices, email and Internet. Ensure that the security policy and procedures clearly define information security responsibilities for all personnel. Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security. Review implemented security controls for effectiveness, and submit an attestation of PCI DSS compliance annually, to the Associate Vice President of Finance and Global Payments. Violations of this policy may result in disciplinary action which may include termination for employees; a termination of employment relations in the case of contractors or consultants; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of UTMB IR access privileges, civil and/or criminal prosecution. References Texas Administrative Code Chapter 202 Payment Card Industry, Data Security Standard UT System Policy, UTS-165 Page 5 of 4

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information