What You Need to Know About the Payment Card Industry Data Security Standard (PCI DSS) Introduction to PCI DSS The Payment Card Industry Data Security Standard was developed in response to an increase in identity theft and credit card fraud and encompasses a set of requirements for credit card account data security. All Binghamton University departments that accept, process, store, or transmit credit card data must comply with PCI DSS. The BU PCI Committee works with all campus departments to ensure compliance for our merchant IDs. Completed PCI SelfAssessment Questionnaires (SAQ) are required annually from those who accept credit card payments. Security Standard Overview PCI DSS applies to all transaction types, including in-person, mail, and web. BU is required to secure the entire transaction – from the acceptance point, through the network configuration, to the server where it is stored. Any hardcopy documents containing cardholder data must also be secured. If BU does not comply with the standard and our data is compromised: Fines are imposed by the payment card industry, BU must also pay all remediation, assessment, forensic analysis, and legal fees incurred, Merchant accounts will be suspended. What Data Must Be Protected? Cardholder Data (CHD) The primary account number (PAN) is the defining factor in the applicability of PCI DSS requirements. If PAN is not stored, processed, or transmitted, PCI DSS does not apply. If it is stored with other data obtained as part of a payment transaction, such as cardholder name, expiration date, and/or service code, protection is required for all elements. Sensitive Authentication Data This consists of magnetic stripe data, card validation code, and PIN data. Storage of sensitive authentication data is prohibited! PCI DSS Requirements Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Build and Maintain a Secure Network Install and maintain a firewall configuration to protect CHD All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the internet as e-commerce, employees’ Internet-based access through desktop browsers, or employees’ email access, dedicated connection such as business to business connections, via wireless networks, or via other sources. Do not use vendor-supplied defaults for system passwords and other security parameters Malicious individuals (external and internal) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known in hacker communities and easily determined via public information. Protect Cardholder Data Protect stored cardholder data Encryption, truncation, and masking are critical components of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending PAN in unencrypted e-mails. Encrypt transmission of CHD across open, public networks Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols can be continued targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments. Maintain a Vulnerability Management Program Use and regularly update anti-virus software Malware—including viruses, worms, and Trojans—enters the network during many activities including employees’ e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats. Develop and maintain secure systems and applications All critical systems must have the most recently released, appropriate software patches to protect against exploitation and compromise of cardholder data by malicious individuals and malicious software. Secure coding techniques must be used on all in-house application developments. Implement Strong Access Control Measures Restrict access to CHD by business need to know The more people who have access to CHD, the more risk there is that a user’s account will be used maliciously. Limiting access to those with a strong business reason for the access helps BU prevent mishandling of CHD through inexperience or malice. Assign a unique ID to each person with computer access This ensures unique accountability for each person’s actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Account passwords should never be shared! Restrict physical access to CHD Any physical access to data or systems that house CHD provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. Access restriction should be applied to file cabinets and other hardcopy storage areas, servers, network jacks, fax machines, point of sale devices, and wireless and/or portable media (laptops, CDs, USB drives, etc). Regularly Monitor and Test Networks Track and monitor all access to network resources and CHD Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult without system activity logs. Regularly test security systems and processes Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment. Maintain an Information Security Policy A strong security policy sets the security tone for the whole company and informs employees what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it. The BU PCI Committee has drafted a policy and is currently awaiting approval from the Information Security Counsel and Senior Staff. Upon completion of this process the campus will be notified. How Can You Protect CHD? Do not send CHD via email. Politely notify any customers who submit credit card transactions via email that our business practice does not allow acceptance of information in this manner. Require that the actual credit card be presented for all in-person credit card transactions. Lock your computer terminal, POS devices, file cabinets, and vaults when not attended and after business hours. Do not store CHD on wireless devices, portable media, or shared networks (laptops, tablets, PDAs, CDs, USB drives, shared drives). How Can You Protect CHD? Store only essential data PANs must be truncated to last 4 digits DO NOT store magnetic stripe data, PIN, or CVV/CVC/CID Hardcopy CHD must be locked in a secure area with limited access. Card swipe entry, video surveillance, and visitor logs can be used to protect the cardholder data environment. Use a cross-cut shredder to dispose of CHD no longer needed for business practices. CHD should only be retained as long as there is a business need and cannot exceed a one-year maximum. Properly dispose of credit card processing equipment. Deliver POS terminals to Revenue Accounting and computer terminals ITS. How Can You Protect CHD? Contractually require an annual attestation of compliance from all third-party service providers. Amend current contracts and include attestation language in RFPs. Staff with access to the cardholder data environment must complete annual PCI training. Merchant departments must complete an annual SAQ. Security incidents must be reported to the Information Security Officer in accordance with the Information Security Incident Response Plan. Contact Information If you would like to begin accepting credit card transactions, including via web-based programs and third-party vendors, get authorization from Revenue Accounting. Erin Neske eneske@binghamton.edu 777-4140 Resources PCI Security Standards Council https://www.pcisecuritystandards.org/ Binghamton University PCI DSS Policy TBA Binghamton University ITS Data Rules and Regulations http://bingdev.binghamton.edu/acs-drupal/accounts McAfee AntiVirus http://www.mcafee.com/us/