What You Need to know about the Payment Card

advertisement
What You Need to Know About
the Payment Card Industry Data
Security Standard (PCI DSS)
Introduction to PCI DSS

The Payment Card Industry Data Security Standard was
developed in response to an increase in identity theft and credit
card fraud and encompasses a set of requirements for credit
card account data security.

All Binghamton University departments that accept, process,
store, or transmit credit card data must comply with PCI DSS.

The BU PCI Committee works with all campus departments to
ensure compliance for our merchant IDs. Completed PCI SelfAssessment Questionnaires (SAQ) are required annually from
those who accept credit card payments.
Security Standard Overview

PCI DSS applies to all transaction types, including in-person,
mail, and web. BU is required to secure the entire transaction –
from the acceptance point, through the network configuration, to
the server where it is stored. Any hardcopy documents
containing cardholder data must also be secured.

If BU does not comply with the standard and our data is
compromised:

Fines are imposed by the payment card industry,

BU must also pay all remediation, assessment, forensic analysis, and legal
fees incurred,

Merchant accounts will be suspended.
What Data Must Be Protected?


Cardholder Data (CHD)

The primary account number (PAN) is the defining factor in the applicability of
PCI DSS requirements. If PAN is not stored, processed, or transmitted, PCI
DSS does not apply.

If it is stored with other data obtained as part of a payment transaction, such as
cardholder name, expiration date, and/or service code, protection is required
for all elements.
Sensitive Authentication Data

This consists of magnetic stripe data, card validation code, and PIN data.

Storage of sensitive authentication data is prohibited!
PCI DSS Requirements






Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
Build and Maintain a Secure
Network

Install and maintain a firewall configuration to protect CHD


All systems must be protected from unauthorized access from untrusted
networks, whether entering the system via the internet as e-commerce,
employees’ Internet-based access through desktop browsers, or employees’ email access, dedicated connection such as business to business connections,
via wireless networks, or via other sources.
Do not use vendor-supplied defaults for system passwords and
other security parameters

Malicious individuals (external and internal) often use vendor default passwords
and other vendor default settings to compromise systems. These passwords
and settings are well known in hacker communities and easily determined via
public information.
Protect Cardholder Data

Protect stored cardholder data


Encryption, truncation, and masking are critical components of cardholder data
protection. If an intruder circumvents other network security controls and gains
access to encrypted data, without the proper cryptographic keys, the data is
unreadable and unusable to that person. Other effective methods of protecting
stored data should be considered as potential risk mitigation opportunities. For
example, methods for minimizing risk include not storing cardholder data
unless absolutely necessary, truncating cardholder data if full PAN is not
needed, and not sending PAN in unencrypted e-mails.
Encrypt transmission of CHD across open, public networks

Misconfigured wireless networks and vulnerabilities in legacy encryption and
authentication protocols can be continued targets of malicious individuals who
exploit these vulnerabilities to gain privileged access to cardholder data
environments.
Maintain a Vulnerability
Management Program

Use and regularly update anti-virus software


Malware—including viruses, worms, and Trojans—enters the network during
many activities including employees’ e-mail and use of the Internet, mobile
computers, and storage devices, resulting in the exploitation of system
vulnerabilities. Anti-virus software must be used on all systems commonly
affected by malware to protect systems from current and evolving malicious
software threats.
Develop and maintain secure systems and applications

All critical systems must have the most recently released, appropriate software
patches to protect against exploitation and compromise of cardholder data by
malicious individuals and malicious software.

Secure coding techniques must be used on all in-house application
developments.
Implement Strong Access Control
Measures

Restrict access to CHD by business need to know



The more people who have access to CHD, the more risk there is that a user’s
account will be used maliciously. Limiting access to those with a strong
business reason for the access helps BU prevent mishandling of CHD through
inexperience or malice.
Assign a unique ID to each person with computer access

This ensures unique accountability for each person’s actions. When such
accountability is in place, actions taken on critical data and systems are
performed by, and can be traced to, known and authorized users.

Account passwords should never be shared!
Restrict physical access to CHD

Any physical access to data or systems that house CHD provides the
opportunity for individuals to access devices or data and to remove systems or
hardcopies, and should be appropriately restricted.

Access restriction should be applied to file cabinets and other hardcopy storage
areas, servers, network jacks, fax machines, point of sale devices, and wireless
and/or portable media (laptops, CDs, USB drives, etc).
Regularly Monitor and Test
Networks

Track and monitor all access to network resources and CHD


Logging mechanisms and the ability to track user activities are critical in
preventing, detecting, or minimizing the impact of a data compromise. The
presence of logs in all environments allows thorough tracking, alerting, and
analysis when something does go wrong. Determining the cause of a
compromise is very difficult without system activity logs.
Regularly test security systems and processes

Vulnerabilities are being discovered continually by malicious individuals and
researchers, and being introduced by new software. System components,
processes, and custom software should be tested frequently to ensure security
controls continue to reflect a changing environment.
Maintain an Information Security
Policy

A strong security policy sets the security tone for the whole
company and informs employees what is expected of them. All
employees should be aware of the sensitivity of data and their
responsibilities for protecting it.

The BU PCI Committee has drafted a policy and is currently
awaiting approval from the Information Security Counsel and
Senior Staff. Upon completion of this process the campus will
be notified.
How Can You Protect CHD?

Do not send CHD via email. Politely notify any customers who
submit credit card transactions via email that our business
practice does not allow acceptance of information in this
manner.

Require that the actual credit card be presented for all in-person
credit card transactions.

Lock your computer terminal, POS devices, file cabinets, and
vaults when not attended and after business hours.

Do not store CHD on wireless devices, portable media, or
shared networks (laptops, tablets, PDAs, CDs, USB drives,
shared drives).
How Can You Protect CHD?

Store only essential data


PANs must be truncated to last 4 digits
DO NOT store magnetic stripe data, PIN, or CVV/CVC/CID

Hardcopy CHD must be locked in a secure area with limited
access. Card swipe entry, video surveillance, and visitor logs
can be used to protect the cardholder data environment.

Use a cross-cut shredder to dispose of CHD no longer needed
for business practices. CHD should only be retained as long as
there is a business need and cannot exceed a one-year
maximum.

Properly dispose of credit card processing equipment. Deliver
POS terminals to Revenue Accounting and computer terminals
ITS.
How Can You Protect CHD?

Contractually require an annual attestation of compliance from
all third-party service providers. Amend current contracts and
include attestation language in RFPs.

Staff with access to the cardholder data environment must
complete annual PCI training.

Merchant departments must complete an annual SAQ.

Security incidents must be reported to the Information Security
Officer in accordance with the Information Security Incident
Response Plan.
Contact Information

If you would like to begin accepting credit card transactions,
including via web-based programs and third-party vendors, get
authorization from Revenue Accounting.
Erin Neske
eneske@binghamton.edu
777-4140
Resources

PCI Security Standards Council
https://www.pcisecuritystandards.org/

Binghamton University PCI DSS Policy
TBA

Binghamton University ITS Data Rules and Regulations
http://bingdev.binghamton.edu/acs-drupal/accounts

McAfee AntiVirus
http://www.mcafee.com/us/
Download