Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that store, process, or transmit payment card data. RATIONALE: Miami is obligated to comply with the Payment Card Industry Data Security Standards (PCI DSS) in order to receive payment via credit or debit cards. PCI DSS requires that certain elements of how we store, process, or transmit payment card data be codified in policy. IT POLICY: A. Firewall and router configurations IT Services will review all firewall and router configurations for any devices touching networks containing PCI DSS data every 6 months. B. Storage of electronic payment card data Any unit wanting to store payment card data needs written approval from both the Chief Investment Officer and the Information Security Officer to do so. With those approvals, electronic payment card data can be stored for up to 60 days. If the unit needs to store electronic payment card data for a longer period of time, approval from the Assistant Vice President responsible for the operations of the unit in question, the Chief Investment Officer, and the Information Security Officer allows the electronic payment card data to be stored up to 180 days. Once payment card data is no longer needed, it will be disposed of in a secure fashion. Electronic data will be wiped via methods approved by the Information Security Officer. Under no circumstances can any office store the full contents of any magnetic stripe data, the card verification code, the personal identification number (PIN), or the encrypted PIN block. Any programs storing payment card data will encrypt the data in accordance with current applicable PCI DSS standards. Associated cryptographic keys will be generated, stored, and changed in accordance with vendor best practices and applicable PCI DSS standards. IT Services will confirm quarterly that payment card data is being stored and destroyed in accordance with this policy. Page 1 of 5
C. Paper records Explicit written approval from the Information Security Officer is required to collect and/or store paper records containing payment card data. All such records must be stored in a secure fashion, and must be destroyed with either a cross cut shredder or a confetti shredder as soon as the data is no longer needed. These records cannot be stored for more than 15 days. If paper records are accidentally created containing payment card data, that data will be destroyed with either a cross cut shredder or a confetti shredder. D. Display of payment card data Any receipts or other print outs containing payment card data will display no more than the first 6 and last 4 digits of the payment card number. E. Wireless networks Any use of wireless networks to store, process, or transmit payment card data requires explicit approval from the Information Security Officer. IT Services will conduct quarterly scans to confirm that there are no unauthorized wireless access points in the data center. F. Transmission of payment card data Payment card numbers will only be transmitted across encrypted channels. Payment card numbers may not be transmitted through any instant message programs or via text messaging. G. Access of payment card data All user accounts will be: restricted to the least privileges necessary to perform job responsibilities; assigned to individuals based on job classification and function; granted only with documented approval from authorized parties and only with the privileges specified in that approval; and linked to one specific user; Group accounts and shared passwords are not allowed to access payment card data. H. Backup media All backup media will be stored in a location that the Information Security Officer deems to be physically secure. All backup media will be assigned to a backup group so the sensitivity of the data can be determined. Backup media will be inventoried on an annual basis. I. Security logs Logs of relevant security events for systems storing, processing, or transmitting payment card data will be sent to a central log server and reviewed daily. All such logs will be stored for 1 year. Issues of note will be escalated to the Information Security Officer. Page 2 of 5
J. Incident response The incident response plan that will be used to respond to any possible breaches to PCI systems or exposures of PCI data will be tested annually. Incident response for an issue involving PCI systems or PCI data will follow the timelines listed in the appendix to ensure compliance with the incident response procedures of the payment brands. K. Risk assessment IT Services will conduct a formal risk assessment for all systems that store, process, or transmit payment card data each year using the process described in the PCI Risk Assessment Process document. L. Software upgrades Applications that store, process, or transmit payment card data need approval from the Information Security Officer before they can be upgraded or patched. M. Usage of new technologies Any technology to be used with payment card data requires approval from the Information Security Officer. All such technologies are required to: require authentication to use; have a list of authorized users; be labeled so the owner and use can be determined; only be used for accepted business practices; be placed on the network by IT Services; be explicitly approved for use by the Information Security Officer; automatically disconnect remote-access sessions after a specific period of inactivity; only be usable by vendors and business partners when needed; prevent copying, moving, or storing of payment card data onto local storage media when accessed remotely; and be used in accordance with all PCI DSS requirements N. Security awareness program Mandatory security awareness training for all staff using systems that store, process, or transmit payment card data will be provided annually by IT Services. O. Service providers A list of all service providers storing, processing, or transmitting payment card information on behalf of Miami University will be maintained. Each year all service providers will have their PCI DSS compliance status verified. P. Responsibilities Creation and distribution of security policies, procedures, and the awareness program are the responsibility of the Information Security Officer. Page 3 of 5
Creation and distribution of security incident response and escalation procedures are the responsibility of the Information Security Officer. Monitoring and analyzing security alerts generated by systems storing, processing, or transmitting payment card data and distributing that data to the appropriate personnel as needed are the responsibility of the Security, Compliance, and Risk Management team. User account administration and authentication management are the responsibility of the Enterprise Systems & Operations team. Maintaining and verifying necessary information from service providers is the responsibility of the Security, Compliance, and Risk Management team. Monitoring and controlling all access to data are the responsibility of the Security, Compliance, and Risk Management team, with assistance from the Enterprise Systems & Operations team as well as from the business units as needed. Q. Exceptions Any exceptions to this standard require explicit written approval from the Information Security Officer before they are implemented. R. Review APPENDIX: This standard will be reviewed by the Information Security Officer on an annual basis. Definitions Payment cards either credit or debit cards Payment card data the payment card number when it consists of more than the first 6 and last 4 digits of the full number Incident response timeline After consultation with Miami s General Counsel, the card brands will be notified after detection of a breach of a PCI system or an exposure of PCI data. The forensic investigation will be completed with 72 hours of detection. A list of all compromised cards will be provided within 10 days of detection. A summary report outlining the incident, the number of cards compromised, our PCI DSS compliance at the time of the incident, and the steps taken to remediate the issue will be provided to the card brands within 72 hours of the issue being fully remediated. APPROVAL(S) AND DATE(S): Version 1.0 Approval by: Information Security Officer on October 17, 2013 Version 1.1 Approval by: Information Security Officer on December 13, 2013 Version 1.2 Approval by: Information Security Officer on December 16, 2013 Version 1.3 Approval by: Chief Investment Officer and Information Security Officer on October 15, 2014 REVISION HISTORY & REFERENCES: Revision History October 17, 2013 Version 1.0 Page 4 of 5
December 13, 2013 Version 1.1 Updated to align with the University s Credit Card Security Policies and Procedures December 16, 2013 Version 1.2 Updated to explicitly prohibit instant message and text messaging October 15, 2014 Version 1.3 Updated to reference risk assessment document, to add 3 rd party annual validations and software upgrades, and to change approval processes for storing both paper and electronic payment card numbers Page 5 of 5