|
Payment Card Industry Compliance Information
Introduction |
Compliance Requirements for Departments Processing
Credit Cards |
How Can YOU Protect Cardholder Data?
Introduction to Payment Card Industry Standards and Compliance
The
Payment Card Industry Data Security Standard
(PCI DSS) version 1.1 is a set of comprehensive requirements for credit card
account data security, developed by a council, including American Express,
Discover Financial Services, JCB International, MasterCard Worldwide, and
Visa Inc., to help facilitate the broad adoption of consistent data security
measures on a global basis.
The PCI DSS security standard includes requirements for security management,
policies, procedures, network architecture, software design and other critical
protective measures. This comprehensive standard is intended to help organizations
proactively protect customer account data.
PCI Data Security rules change over time. Version 1.1 was
adopted in October 2006. Future rules will be using a "Do NOT Store"
model, and, therefore, our general security recommendations to units
is that they do NOT store ANY sensitive Cardholder Data.
The UB Financial Services Office and the
Information Security Officer (ISO)
work with departments and schools that accept, process, store, and transmit
credit card data to ensure that all merchant IDs at UB are in compliance with
PCI DSS.
PCI standards apply to all types of payments, including in-person, mail, telepho
ne, and web transactions.
UB is committed to maintaining the security of customer information, including
payment cardholder number, name, expiration date, and verification
number, and follows best practices for protecting payment card information.
Compliance Requirements for Departments Processing Credit Cards
UB departments processing credit cards must comply with the
following requirements.
-
Completed
PCI Self-Assessment Questionnaires are
required annually from all UB merchants who accept credit card payments.
The questionnaire provides an assessment of a unit's compliance with
PCI standards.
-
All employees handling credit card data must complete the
UBlearns PCI Tutorial
and Assessment annually.
-
Security scans of all outward-facing IP addresses on the same subnet as any
computer dealing with credit cards (for e-commerce merchants or terminal
merchants that use IP-based instead of dial-up terminals)
by a PCI-approved scanning vendor are also required to
validate compliance with the PCI DSS. See
PCI Security Scanning Procedures. UB has contracted with Security Metrics
to provide these scans.
The Payment Card Industry Data Security Standards
were updated in April 2008 to clarify what
required penetration testing must cover: "Penetration testing is
different than the external and internal vulnerability assessments. A
vulnerability assessment simply identifies and reports noted
vulnerabilities, whereas a penetration test attempts to exploit the
vulnerabilities to determine whether unauthorized access or other
malicious activity is possible. Penetration testing should include
network *and* application layer testing as well as controls and
processes around the networks and applications, and should occur from
both outside the network trying to come in (external testing) and from
inside the network." [TOP OF THE NEWS, SANS NewsBites Vol. 10 Num. 34]
-
Finally, all employees handling credit card data must comply with the
Financial Services Credit Card Policy.
Return to Top of Page
How can YOU protect cardholder data?
Paper Records
If you use Payment Card readers that transmit and receive Cardholder
Data via telephone lines and/or store Cardholder Data on paper:
- During business hours, restrict cardholder data to a controlled-access
area. After business hours, keep cardholder data in a locked container
(file cabinet, vault). Only those who have a business need to access
cardholder data should have keys, combinations, and other access to the
data.
- Dispose of Cardholder Data in a secure manner as your business need
for it expires. For example, use a cross-cut shredder or shredding service.
- Store only essential data.
- Cardholder credit card numbers must be truncated to the last 4 digits.
- Never retain the cardholder verification values or codes (CVV codes).
- Do not store the PIN or the full contents of any track from
the magnetic stripe.
- You must complete the PCI Questionnaire annually and send it to
the Financial Services Office.
Payment Card Processing with Computers
- You must complete the PCI Questionnaire annually and send it to
the Financial Services Office.
- Your computers and network must be scanned quarterly for vulnerabilities
by Security Metrics, UB's approved PCI scanning vendor.
- Do not use the UB wireless network to store, access, process,
transmit, or receive cardholder data
- Cardholder data must be stored only on a server dedicated to
processing Payment Card transactions, protected by a dedicated hardware
firewall, and subjected to quarterly security scans. Never store
Cardholder data on a web server, workstation, laptop, tablet, PDA, or on portable
media such as a USB drive, even if the data are encrypted.
- Dispose of Cardholder Data securely as soon as your business need for it exp
ires.
- Avoid sending or receiving Payment Card information via email. If you
must send Payment Card information via email, the data
must be encrypted.
- Access to Cardholder Data must be granted on a need to know basis.
- Systems that store Cardholder Data should be set up to deny
access to all users except those specifically allowed to access the data
for business needs.
Return to Top of Page
|
