Payment Card Industry Compliance Information
Compliance Requirements for Departments Processing Credit Cards
How Can YOU Protect Cardholder Data?
Introduction to Payment Card Industry Standards and Compliance
The Payment Card Industry Data Security Standard (PCI DSS) version 1.1 is a set of comprehensive requirements for credit card account data security, developed by a council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc., to help facilitate the broad adoption of consistent data security measures on a global basis.
The PCI DSS security standard includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
PCI Data Security rules change over time. Version 1.1 was adopted in October 2006. Future rules will be using a "Do NOT Store" model, and, therefore, our general security recommendations to units is that they do NOT store ANY sensitive Cardholder Data.
The UB Financial Services Office and the Information Security Officer (ISO) work with departments and schools that accept, process, store, and transmit credit card data to ensure that all merchant IDs at UB are in compliance with PCI DSS. PCI standards apply to all types of payments, including in-person, mail, telephone, and Web transactions. UB is committed to maintaining the security of customer information, including payment cardholder number, name, expiration date, and verification number, and follows best practices for protecting payment card information.
Compliance Requirements for Departments Processing Credit Cards
UB departments processing credit cards must comply with the following requirements:
- Completed PCI Self-Assessment Questionnaires are required annually from all UB merchants who accept credit card payments. The questionnaire provides an assessment of a unit's compliance with PCI standards.
- All employees handling credit card data must complete the UBlearns PCI Tutorial and Assessment annually.
- Security scans of all outward-facing IP addresses on the same subnet as any computer dealing with credit cards (for e-commerce merchants or terminal merchants that use IP-based instead of dial-up terminals) by a PCI-approved scanning vendor are also required to validate compliance with the PCI DSS. See PCI Security Scanning Procedures. UB has contracted with Security Metrics to provide these scans.
The Payment Card Industry Data Security Standards were updated in April 2008 to clarify what required penetration testing must cover: "Penetration testing is different than the external and internal vulnerability assessments. A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing should include network *and* application layer testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network." [TOP OF THE NEWS, SANS NewsBites Vol. 10 Num. 34]
- Finally, all employees handling credit card data must comply with the Financial Services Credit/Debit Card Merchant Requirements.
How can YOU protect cardholder data?
Paper Records
If you use Payment Card readers that transmit and receive Cardholder Data via telephone lines and/or store Cardholder Data on paper, comply with the following requirements:
- During business hours, restrict cardholder data to a controlled-access area. After business hours, keep cardholder data in a locked container (file cabinet, vault). Only those who have a business need to access cardholder data should have keys, combinations, and other access to the data.
- Dispose of Cardholder Data in a secure manner as your business need for it expires. For example, use a cross-cut shredder or shredding service.
- Store only essential data:
- Cardholder credit card numbers must be truncated to the last 4 digits
- Never retain the cardholder verification values or codes (CVV codes)
- Do not store the PIN or the full contents of any track from the magnetic stripe
- You must complete the PCI Questionnaire annually and send it to the Financial Services Office.
Payment Card Processing with Computers
- You must complete the PCI Questionnaire annually and send it to the Financial Services Office.
- Your computers and network must be scanned quarterly for vulnerabilities by Security Metrics, UB's approved PCI scanning vendor.
- Do not use the UB wireless network to store, access, process, transmit, or receive cardholder data.
- Cardholder data must be stored only on a server dedicated to processing Payment Card transactions, protected by a dedicated hardware firewall, and subjected to quarterly security scans. Never store Cardholder data on a Web server, workstation, laptop, tablet, PDA, or on portable media such as a USB drive, even if the data are encrypted.
- Dispose of Cardholder Data securely as soon as your business need for it expires.
- Avoid sending or receiving Payment Card information via E-mail. If you must send Payment Card information via E-mail, the data must be encrypted.
- Access to Cardholder Data must be granted on a need to know basis.
- Systems that store Cardholder Data should be set up to deny access to all users except those specifically allowed to access the data for business needs.