Miami University. Payment Card Data Security Policy



Similar documents
Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

CREDIT CARD SECURITY POLICY PCI DSS 2.0

University of Sunderland Business Assurance PCI Security Policy

Accounting and Administrative Manual Section 100: Accounting and Finance

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Payment Card Industry Compliance

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

PCI Data Security and Classification Standards Summary

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Client Security Risk Assessment Questionnaire

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Josiah Wilkinson Internal Security Assessor. Nationwide

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

Project Title slide Project: PCI. Are You At Risk?

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

Information Security Policy

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

A Rackspace White Paper Spring 2010

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

PCI Compliance. Top 10 Questions & Answers

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Frequently Asked Questions

Why Is Compliance with PCI DSS Important?

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

PCI DSS Requirements - Security Controls and Processes

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI Compliance Top 10 Questions and Answers

Introduction. PCI DSS Overview

Technical breakout session

Vanderbilt University

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD POLICY. Mike Davis, Director of Finance Housing and Community. Cabinet approve the Policy for Dover.

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Becoming PCI Compliant

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

TERMINAL CONTROL MEASURES

The following are responsible for the accuracy of the information contained in this document:

Standards for Business Processes, Paper and Electronic Processing

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

CREDIT CARD PROCESSING POLICY AND PROCEDURES

Symposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda

General Standards for Payment Card Environments at Miami University

Viterbo University Credit Card Processing & Data Security Procedures and Policy

University Policy Accepting and Handling Payment Cards to Conduct University Business

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Policies and Procedures

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

Emory University & Emory Healthcare

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

New York University University Policies

CSU, Chico Credit Card PCI-DSS Risk Assessment

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

b. USNH requires that all campus organizations and departments collecting credit card receipts:

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Information Technology

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

Cyber Self Assessment

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Payment Card Industry Self-Assessment Questionnaire

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

Supplier Information Security Addendum for GE Restricted Data

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

PCI Compliance for Cloud Applications

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Third-Party Access and Management Policy

Presented By: Bryan Miller CCIE, CISSP

IT04 UO ACH Security Policy

CREDIT CARD PROCESSING & SECURITY POLICY

Accepting Payment Cards and ecommerce Payments

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

HIPAA Security Alert

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

AISA Sydney 15 th April 2009

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Payment Card Industry Data Security Standards

Continuous compliance through good governance

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Security Audit Survivor How to Remain On the Island in the Wake of the Piedmont Audit

PCI Requirements Coverage Summary Table

Transcription:

Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that store, process, or transmit payment card data. RATIONALE: Miami is obligated to comply with the Payment Card Industry Data Security Standards (PCI DSS) in order to receive payment via credit or debit cards. PCI DSS requires that certain elements of how we store, process, or transmit payment card data be codified in policy. IT POLICY: A. Firewall and router configurations IT Services will review all firewall and router configurations for any devices touching networks containing PCI DSS data every 6 months. B. Storage of electronic payment card data Any unit wanting to store payment card data needs written approval from both the Chief Investment Officer and the Information Security Officer to do so. With those approvals, electronic payment card data can be stored for up to 60 days. If the unit needs to store electronic payment card data for a longer period of time, approval from the Assistant Vice President responsible for the operations of the unit in question, the Chief Investment Officer, and the Information Security Officer allows the electronic payment card data to be stored up to 180 days. Once payment card data is no longer needed, it will be disposed of in a secure fashion. Electronic data will be wiped via methods approved by the Information Security Officer. Under no circumstances can any office store the full contents of any magnetic stripe data, the card verification code, the personal identification number (PIN), or the encrypted PIN block. Any programs storing payment card data will encrypt the data in accordance with current applicable PCI DSS standards. Associated cryptographic keys will be generated, stored, and changed in accordance with vendor best practices and applicable PCI DSS standards. IT Services will confirm quarterly that payment card data is being stored and destroyed in accordance with this policy. Page 1 of 5

C. Paper records Explicit written approval from the Information Security Officer is required to collect and/or store paper records containing payment card data. All such records must be stored in a secure fashion, and must be destroyed with either a cross cut shredder or a confetti shredder as soon as the data is no longer needed. These records cannot be stored for more than 15 days. If paper records are accidentally created containing payment card data, that data will be destroyed with either a cross cut shredder or a confetti shredder. D. Display of payment card data Any receipts or other print outs containing payment card data will display no more than the first 6 and last 4 digits of the payment card number. E. Wireless networks Any use of wireless networks to store, process, or transmit payment card data requires explicit approval from the Information Security Officer. IT Services will conduct quarterly scans to confirm that there are no unauthorized wireless access points in the data center. F. Transmission of payment card data Payment card numbers will only be transmitted across encrypted channels. Payment card numbers may not be transmitted through any instant message programs or via text messaging. G. Access of payment card data All user accounts will be: restricted to the least privileges necessary to perform job responsibilities; assigned to individuals based on job classification and function; granted only with documented approval from authorized parties and only with the privileges specified in that approval; and linked to one specific user; Group accounts and shared passwords are not allowed to access payment card data. H. Backup media All backup media will be stored in a location that the Information Security Officer deems to be physically secure. All backup media will be assigned to a backup group so the sensitivity of the data can be determined. Backup media will be inventoried on an annual basis. I. Security logs Logs of relevant security events for systems storing, processing, or transmitting payment card data will be sent to a central log server and reviewed daily. All such logs will be stored for 1 year. Issues of note will be escalated to the Information Security Officer. Page 2 of 5

J. Incident response The incident response plan that will be used to respond to any possible breaches to PCI systems or exposures of PCI data will be tested annually. Incident response for an issue involving PCI systems or PCI data will follow the timelines listed in the appendix to ensure compliance with the incident response procedures of the payment brands. K. Risk assessment IT Services will conduct a formal risk assessment for all systems that store, process, or transmit payment card data each year using the process described in the PCI Risk Assessment Process document. L. Software upgrades Applications that store, process, or transmit payment card data need approval from the Information Security Officer before they can be upgraded or patched. M. Usage of new technologies Any technology to be used with payment card data requires approval from the Information Security Officer. All such technologies are required to: require authentication to use; have a list of authorized users; be labeled so the owner and use can be determined; only be used for accepted business practices; be placed on the network by IT Services; be explicitly approved for use by the Information Security Officer; automatically disconnect remote-access sessions after a specific period of inactivity; only be usable by vendors and business partners when needed; prevent copying, moving, or storing of payment card data onto local storage media when accessed remotely; and be used in accordance with all PCI DSS requirements N. Security awareness program Mandatory security awareness training for all staff using systems that store, process, or transmit payment card data will be provided annually by IT Services. O. Service providers A list of all service providers storing, processing, or transmitting payment card information on behalf of Miami University will be maintained. Each year all service providers will have their PCI DSS compliance status verified. P. Responsibilities Creation and distribution of security policies, procedures, and the awareness program are the responsibility of the Information Security Officer. Page 3 of 5

Creation and distribution of security incident response and escalation procedures are the responsibility of the Information Security Officer. Monitoring and analyzing security alerts generated by systems storing, processing, or transmitting payment card data and distributing that data to the appropriate personnel as needed are the responsibility of the Security, Compliance, and Risk Management team. User account administration and authentication management are the responsibility of the Enterprise Systems & Operations team. Maintaining and verifying necessary information from service providers is the responsibility of the Security, Compliance, and Risk Management team. Monitoring and controlling all access to data are the responsibility of the Security, Compliance, and Risk Management team, with assistance from the Enterprise Systems & Operations team as well as from the business units as needed. Q. Exceptions Any exceptions to this standard require explicit written approval from the Information Security Officer before they are implemented. R. Review APPENDIX: This standard will be reviewed by the Information Security Officer on an annual basis. Definitions Payment cards either credit or debit cards Payment card data the payment card number when it consists of more than the first 6 and last 4 digits of the full number Incident response timeline After consultation with Miami s General Counsel, the card brands will be notified after detection of a breach of a PCI system or an exposure of PCI data. The forensic investigation will be completed with 72 hours of detection. A list of all compromised cards will be provided within 10 days of detection. A summary report outlining the incident, the number of cards compromised, our PCI DSS compliance at the time of the incident, and the steps taken to remediate the issue will be provided to the card brands within 72 hours of the issue being fully remediated. APPROVAL(S) AND DATE(S): Version 1.0 Approval by: Information Security Officer on October 17, 2013 Version 1.1 Approval by: Information Security Officer on December 13, 2013 Version 1.2 Approval by: Information Security Officer on December 16, 2013 Version 1.3 Approval by: Chief Investment Officer and Information Security Officer on October 15, 2014 REVISION HISTORY & REFERENCES: Revision History October 17, 2013 Version 1.0 Page 4 of 5

December 13, 2013 Version 1.1 Updated to align with the University s Credit Card Security Policies and Procedures December 16, 2013 Version 1.2 Updated to explicitly prohibit instant message and text messaging October 15, 2014 Version 1.3 Updated to reference risk assessment document, to add 3 rd party annual validations and software upgrades, and to change approval processes for storing both paper and electronic payment card numbers Page 5 of 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information