Title: Payment Card Industry Data Security Standards
1Payment Card Industry Data Security Standards
- Michigan State Universitys project to attain
compliance
2What is PCI DSS?
- Payment Card Industry Data Security Standards
were developed by Visa and MasterCard and have
been adopted by other major payment card
companies. - PCI DSS is an extensive set of guidelines that
help keep customers payment card information
safe. - Compliance with PCI DSS guidelines is required
non-compliance, in the event of data exposure,
may result in significant fines for the merchant
(i.e., MSU) 500,000 and up.
3When do the new rules take effect?
June, 2005
4PCI DSS Project Team
- Mary Nelson, Manager of the MSU Cashiers Office,
is leading the project. - Administrative Information Services (AIS),
Academic Computing and Network Services (ACNS)
and Internal Audit are helping coordinate the
work across campus.
5Who is affected?
Every college and department at MSU that accepts
payment cards, regardless of the amounts
involved, must comply with Payment Card Industry
Data Security Standards.
6MSU Merchant Classification
- There are two basic types of payment card
compliance groups at MSU - Offices that use processing software which runs
on servers owned and managed by that office
(Complex Compliance Group). - Offices that process payments through webCredit
or card-swipe terminals or that use an outside
vendor to process payments (Simplified Compliance
Group).
7 Warning!
If you believe that you belong to the Simplified
Compliance Group, but store payment card
information such as payment card account numbers
and expiration dates on servers (data, fax,
imaging) or on desktop PCs, you may actually
belong to the Complex Compliance Group. More
information on this topic later
8What are the compliance categories?
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
9Build and maintain a secure network
- Requirement 1 Install and maintain a firewall
configuration to protect data - Requirement 2 Do not use vendor-supplied
defaults for system passwords and other security
parameters
10Protect cardholder data
- Requirement 3 Protect stored data
- Requirement 4 Encrypt transmission of
cardholder data and sensitive information across
public networks
11Maintain a vulnerability management program
- Requirement 5 Use and regularly update
anti-virus software - Requirement 6 Develop and maintain security
systems and applications
12Implement strong access control measures
- Requirement 7 Restrict access to data by
business need-to-know - Requirement 8 Assign a unique ID to each person
with computer access - Requirement 9 Restrict physical access to
cardholder data
13Regularly monitor and test networks
- Requirement 10 Track and monitor all access to
network resources and cardholder data - Requirement 11 Regularly test security systems
and processes
14Maintain an information security policy
- Requirement 12 Maintain a policy that addresses
information security
15Merchant Classification Review
- Offices that use processing software which runs
on servers owned and managed by that office
Complex Compliance Group. - Offices that process payments through webCredit
or card-swipe terminals or that use an outside
vendor to process payments Simplified Compliance
Group.
Which group do you belong to?
16How do we prove were compliant?
- Complete relevant sections of the PCI
Self-Assessment Questionnaire (both merchant
types). - Submit payment card servers to vulnerability
scans by approved vendor at least quarterly
(Complex Compliance Group only). The company
chosen to do scans at MSU is Ambiron TrustWave.
17Compliance for Complex Compliance Merchants
- We believe we have talked with all Complex
Compliance Group merchants at MSU. If we have
not yet contacted you and you believe you belong
in this group, please contact Mary Nelson at
355-5023, ext 150 or at nelsonm_at_ctlr.msu.edu.
Scanning of payment card servers and completion
of the entire PCI DSS Self-Assessment
Questionnaire will be required and scanning is
targeted to be completed by December 31, 2005.
18Compliance for Simplified Compliance Merchants
- How do you process payments?
- Through MSUs webCredit
- Through a company you contract with to handle
your payment card processing - Using a card-swipe terminal
- Using a card-swipe terminal attached to a
PC-style cash register
19Compliance for Simplified Compliance Merchants
(cont)
- How do you receive payment card information from
your customers? - Customer-entered through a web store front
- Via US Mail
- Via e-mail
- Via paper fax or fax server
- Over the phone
- In person
20Compliance for Simplified Compliance Merchants
(cont)
- Do you store payment card information?
- On paper
- On card-imprint carbon forms
- In a computer file, spreadsheet, database,
imaging server, fax server or as e-mail
attachments - On audit tapes from card-swipe terminals
- On backup/storage media such as tape, microfilm,
CD or DVD, etc.
21Whats next?
- If you can get rid of stored payment card
information, do it. - If you accept payment card information from
customers via e-mail, unsecured web form, fax
server or network-attached fax, find another way
this is not safe. - If you store payment card numbers and expiration
dates in order to process future or multiple
payments, consider another method. webCredit can
handle scheduled payments.
22Whats next? (cont)
- Review the relevant portions of the PCI Data
Security Standards. - Modify office procedures and policies as needed.
- Restrict payment card information to personnel
with a need to know. - Prepare to complete the appropriate portions of
the PCI DSS Self-Assessment Questionnaire which
will be forwarded to Mary Nelson (details to
follow).
23Whats next? (cont)
- If you contract with an outside vendor to process
payment card payments on your behalf, consult
with that vendor to ensure that compliance is
guaranteed. - Offices that do not comply risk having the
ability to accept payment card payments revoked
by the MSU Controllers Office.
24PCI DSS Self-Assessment Questionnaire Sample
Questions
3.1 Is sensitive cardholder data securely
disposed of when no longer needed? 3.2 Is it
prohibited to store the full contents of any
track from the magnetic stripe (on the back of
the card, in a chip, etc.) in the database, log
files, or point-of-sale products? 3.3 Is it
prohibited to store the card-validation code
(three-digit value printed on the signature panel
of a card) in the database, log files, or
point-of-sale products? 3.4 Are all but the last
four digits of the account number masked when
displaying cardholder data? 3.5 Are account
numbers (in databases, logs, files, backup media,
etc.) stored securely for example, by means of
encryption or truncation? 3.6 Are account numbers
sanitized before being logged in the audit log?
25Sample Questions (cont)
4.1 Are transmissions of sensitive cardholder
data encrypted over public networks through the
use of SSL or other industry acceptable
methods? 4.2 If SSL is used for transmission of
sensitive cardholder data, is it using version
3.0 with 128-bit encryption? 4.5 Is encryption
used in the transmission of account numbers via
e-mail?
26Sample Questions (cont)
5.1 Is there a virus scanner installed on all
servers and on all workstations, and is the virus
scanner regularly updated?
27Sample Questions (cont)
7.1 Is access to payment card account numbers
restricted for users on a need-to-know basis?
28Sample Questions (cont)
8.1 Are all users required to authenticate using,
at a minimum, a unique username and password? 8.2
If employees, administrators, or third parties
access the network remotely, is remote access
software (such as PCAnywhere, dial-in, or VPN)
configured with a unique username and password
and with encryption and other security features
turned on? 8.3 Are all passwords on network
devices and systems encrypted? 8.4 When an
employee leaves the company, are that employees
user accounts and passwords immediately
revoked? 8.5 Are all user accounts reviewed on a
regular basis to ensure that malicious,
out-of-date, or unknown accounts do not exist?
8.6 Are non-consumer accounts that are not used
for a lengthy amount of time (inactive accounts)
automatically disabled in the system after a
pre-defined period?
29Sample Questions (cont)
8.7 Are accounts used by vendors for remote
maintenance enabled only during the time needed?
8.8 Are group, shared, or generic accounts and
passwords prohibited for non-consumer users? 8.9
Are non-consumer users required to change their
passwords on a predefined regular basis? 8.10 Is
there a password policy for non-consumer users
that enforces the use of strong passwords and
prevents the resubmission of previously used
passwords? 8.11 Is there an account-lockout
mechanism that blocks a malicious user from
obtaining access to an account by multiple
password retries or brute force?
30Sample Questions (cont)
9.1 Are there multiple physical security controls
(such as badges, escorts, or mantraps) in place
that would prevent unauthorized individuals from
gaining access to the facility? 9.2 If wireless
technology is used, do you restrict access to
wireless access points, wireless gateways, and
wireless handheld devices? 9.3 Are equipment
(such as servers, workstations, laptops, and hard
drives) and media containing cardholder data
physically protected against unauthorized access?
31Sample Questions (cont)
9.4 Is all cardholder data printed on paper or
received by fax protected against unauthorized
access? 9.5 Are procedures in place to handle
secure distribution and disposal of backup media
and other media containing sensitive cardholder
data? 9.6 Are all media devices that store
cardholder data properly inventoried and securely
stored? 9.7 Is cardholder data deleted or
destroyed before it is physically disposed (for
example, by shredding papers or degaussing backup
media)?
32Sample Questions (cont)
12.1 Are information security policies, including
policies for access control, application and
system development, operational, network and
physical security, formally documented? 12.2 Are
information security policies and other relevant
security information disseminated to all system
users (including vendors, contractors, and
business partners)? 12.3 Are information
security policies reviewed at least once a year
and updated as needed? 12.4 Have the roles and
responsibilities for information security been
clearly defined within the company? 12.5 Is
there an up-to-date information security
awareness and training program in place for all
system users? 12.6 Are employees required to
sign an agreement verifying they have read and
understood the security policies and procedures?
33Sample Questions (cont)
12.7 Is a background investigation (such as a
credit- and criminal-record check, within the
limits of local law) performed on all employees
with access to account numbers? 12.8 Are all
third parties with access to sensitive cardholder
data contractually obligated to comply with card
association security standards? 12.9 Is a
security incident response plan formally
documented and disseminated to the appropriate
responsible parties? 12.10 Are security
incidents reported to the person responsible for
security investigation? 12.11 Is there an
incident response team ready to be deployed in
case of a cardholder data compromise?
34Proposed Requirements for University Units that
Accept Payment Cards
- Units must comply with all Payment Card Industry
Data Security Standard (PCI DSS) requirements.
Any exceptions must be approved by the
Controllers Office, based on the Universitys
payment card processor accepting alternate
control measures.
35Proposed Requirements (cont)
- Simplified compliance requirements apply to units
that use only - Non-internet-attached card-swipe systems
- Paper-based payment card processes, or
- Centrally provided (webCredit) payment card
processing with no unit-based electronic storage
of payment card numbers.
36Proposed Requirements (cont)
- Units must obtain Controllers Office approval
before - Developing or purchasing computer-based systems
that store or process payment card data - Contract with a payment card acceptance/processing
entity outside the University - Store cardholder data that includes payment card
numbers on unit-controlled networked systems
(including but not limited to storage in
spreadsheets, word processing documents, imaging
systems, networked fax servers, etc.)
37Proposed Requirements (cont)
- Every merchant unit must
- Perform a risk assessment for payment card
operations at least once per year, or when
procedures or technology change. - Respond to periodic questionnaires or surveys
when requested by the Controllers Office, to
confirm your units ongoing PCI DSS compliance. - Document who (positions or persons) is
responsible for payment card data security in the
unit. - Have written operational procedures for payment
card acceptance and related processes.
38Proposed Requirements (cont)
- Every merchant must
- Review and update, as needed, all required
payment card related policies, procedures and
documentation, at least once per year. - Define, in writing, security responsibilities for
all employees and contractors who have access to
payment card data. - Educate all employees about the importance of
cardholder data security at inception of duties
involving cardholder data, and on an ongoing
basis. - Require employees to acknowledge in writing that
they have read understood University and
departmental payment card data security policies
procedures.
39Proposed Requirements (cont)
- Every merchant must
- Screen employees, contractors, or volunteers who
will have access to more than one card number at
a time. (Note University background checks for
regular employees are sufficient to meet this
requirement units who involve student or other
employees are responsible for screening.) - Remove access to payment card related systems or
data immediately when employees, contractors or
volunteers cease duties related to payment card
processing. - Prohibit use of wireless communications to access
payment-card-related computer systems.
40Proposed Requirements (cont)
- Every merchant must
- Prohibit solicitation of payment card data from
customers by e-mail - Appropriately secure all records that include
payment cardholder data, including physical
security of paper materials. - Report any potential exposure (to unauthorized
parties) or loss of cardholder data to CO
immediately. - Contractually require third parties with access
to cardholder data to adhere to PCI DSS
requirements. - Assume responsibility for payment card industry
financial penalties that may arise out of unit
non-compliance with PCI DSS requirements.
41Proposed Requirements (cont)
- Units with computer-based systems that store or
process payment card data must additionally - Complete a full PCI DSS self-assessment
questionnaire annually. - Submit to and pay for vulnerability scanning of
payment-card systems as required by PCI DSS. - Maintain payment-card-related systems on a
subnetwork segmented to limit scanning
requirements to appropriate unit-based systems.
(Network configuration guidance is available from
Academic Computing Network Services Network
Security group.)
42Proposed Requirements (cont)
- Units with computer-based systems that store or
process payment card data must additionally - Obtain Controllers Office approval for
significant changes of configuration of payment
card processing or storage hardware, software or
network. - Review PCI DSS requirements in full, and comply
with all PCI DSS requirements applicable to their
technical and systems management environment. Any
exceptions must be approved by the Controllers
Office, based on the Universitys credit card
processor accepting alternate control measures.
43Proposed Requirements (cont)
- Units that contract with a payment card
acceptance/processing entity outside the
University must ensure, via contract provisions,
that that entity is compliant with PCI DSS
requirements.
44Web Sites of Interest
- Payment Card Industry Data Security Standards
http//usa.visa.com/download/business/accepting_vi
sa/ops_risk_management/cisp_PCI_Data_Security_Stan
dard.pdf - PCI Self-Assessment Questionnaire
https//sdp.mastercardintl.com/pdf/758_PCI_Self_As
smnt_Qust.pdf - VISA Security Information web site
- http//www.visa.com/cisp
- Managing Sensitive Data Initiative web site
- http//lct.msu.edu/security
- Ambiron TrustWave
- http//www.atwcorp.com/
45Contact Information
- Contract review/questions, business office
practices - Mary Nelson, Controllers Office
- 355-5023, ext 150 or nelsonm_at_ctlr.msu.edu
- Questions about webCredit
- 353-4420, ext 311 or webcredit_at_ais.msu.edu
- Network configuration and security
- Joe Budzyn, ACNS
- 432-7448 or budzyn_at_msu.edu
- Audit Concerns
- Rob Humphrey
- 355-5030 or humphr70_at_msu.edu
46Questions?