Payment Card Industry Data Security Standards

1
Payment Card Industry Data Security Standards

• Michigan State Universitys project to attain
  compliance

2
What is PCI DSS?

• Payment Card Industry Data Security Standards
  were developed by Visa and MasterCard and have
  been adopted by other major payment card
  companies.
• PCI DSS is an extensive set of guidelines that
  help keep customers payment card information
  safe.
• Compliance with PCI DSS guidelines is required
  non-compliance, in the event of data exposure,
  may result in significant fines for the merchant
  (i.e., MSU) 500,000 and up.

3
When do the new rules take effect?
June, 2005
4
PCI DSS Project Team

• Mary Nelson, Manager of the MSU Cashiers Office,
  is leading the project.
• Administrative Information Services (AIS),
  Academic Computing and Network Services (ACNS)
  and Internal Audit are helping coordinate the
  work across campus.

5
Who is affected?
Every college and department at MSU that accepts
payment cards, regardless of the amounts
involved, must comply with Payment Card Industry
Data Security Standards.
6
MSU Merchant Classification

• There are two basic types of payment card
  compliance groups at MSU
• Offices that use processing software which runs
  on servers owned and managed by that office
  (Complex Compliance Group).
• Offices that process payments through webCredit
  or card-swipe terminals or that use an outside
  vendor to process payments (Simplified Compliance
  Group).

7
Warning!
If you believe that you belong to the Simplified
Compliance Group, but store payment card
information such as payment card account numbers
and expiration dates on servers (data, fax,
imaging) or on desktop PCs, you may actually
belong to the Complex Compliance Group. More
information on this topic later
8
What are the compliance categories?

• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

9
Build and maintain a secure network

• Requirement 1 Install and maintain a firewall
  configuration to protect data
• Requirement 2 Do not use vendor-supplied
  defaults for system passwords and other security
  parameters

10
Protect cardholder data

• Requirement 3 Protect stored data
• Requirement 4 Encrypt transmission of
  cardholder data and sensitive information across
  public networks

11
Maintain a vulnerability management program

• Requirement 5 Use and regularly update
  anti-virus software
• Requirement 6 Develop and maintain security
  systems and applications

12
Implement strong access control measures

• Requirement 7 Restrict access to data by
  business need-to-know
• Requirement 8 Assign a unique ID to each person
  with computer access
• Requirement 9 Restrict physical access to
  cardholder data

13
Regularly monitor and test networks

• Requirement 10 Track and monitor all access to
  network resources and cardholder data
• Requirement 11 Regularly test security systems
  and processes

14
Maintain an information security policy

• Requirement 12 Maintain a policy that addresses
  information security

15
Merchant Classification Review

• Offices that use processing software which runs
  on servers owned and managed by that office
  Complex Compliance Group.
• Offices that process payments through webCredit
  or card-swipe terminals or that use an outside
  vendor to process payments Simplified Compliance
  Group.

Which group do you belong to?
16
How do we prove were compliant?

• Complete relevant sections of the PCI
  Self-Assessment Questionnaire (both merchant
  types).
• Submit payment card servers to vulnerability
  scans by approved vendor at least quarterly
  (Complex Compliance Group only). The company
  chosen to do scans at MSU is Ambiron TrustWave.

17
Compliance for Complex Compliance Merchants

• We believe we have talked with all Complex
  Compliance Group merchants at MSU. If we have
  not yet contacted you and you believe you belong
  in this group, please contact Mary Nelson at
  355-5023, ext 150 or at nelsonm_at_ctlr.msu.edu.
  Scanning of payment card servers and completion
  of the entire PCI DSS Self-Assessment
  Questionnaire will be required and scanning is
  targeted to be completed by December 31, 2005.

18
Compliance for Simplified Compliance Merchants

• How do you process payments?
• Through MSUs webCredit
• Through a company you contract with to handle
  your payment card processing
• Using a card-swipe terminal
• Using a card-swipe terminal attached to a
  PC-style cash register

19
Compliance for Simplified Compliance Merchants
(cont)

• How do you receive payment card information from
  your customers?
• Customer-entered through a web store front
• Via US Mail
• Via e-mail
• Via paper fax or fax server
• Over the phone
• In person

20
Compliance for Simplified Compliance Merchants
(cont)

• Do you store payment card information?
• On paper
• On card-imprint carbon forms
• In a computer file, spreadsheet, database,
  imaging server, fax server or as e-mail
  attachments
• On audit tapes from card-swipe terminals
• On backup/storage media such as tape, microfilm,
  CD or DVD, etc.

21
Whats next?

• If you can get rid of stored payment card
  information, do it.
• If you accept payment card information from
  customers via e-mail, unsecured web form, fax
  server or network-attached fax, find another way
  this is not safe.
• If you store payment card numbers and expiration
  dates in order to process future or multiple
  payments, consider another method. webCredit can
  handle scheduled payments.

22
Whats next? (cont)

• Review the relevant portions of the PCI Data
  Security Standards.
• Modify office procedures and policies as needed.
• Restrict payment card information to personnel
  with a need to know.
• Prepare to complete the appropriate portions of
  the PCI DSS Self-Assessment Questionnaire which
  will be forwarded to Mary Nelson (details to
  follow).

23
Whats next? (cont)

• If you contract with an outside vendor to process
  payment card payments on your behalf, consult
  with that vendor to ensure that compliance is
  guaranteed.
• Offices that do not comply risk having the
  ability to accept payment card payments revoked
  by the MSU Controllers Office.

24
PCI DSS Self-Assessment Questionnaire Sample
Questions
3.1 Is sensitive cardholder data securely
disposed of when no longer needed? 3.2 Is it
prohibited to store the full contents of any
track from the magnetic stripe (on the back of
the card, in a chip, etc.) in the database, log
files, or point-of-sale products? 3.3 Is it
prohibited to store the card-validation code
(three-digit value printed on the signature panel
of a card) in the database, log files, or
point-of-sale products? 3.4 Are all but the last
four digits of the account number masked when
displaying cardholder data? 3.5 Are account
numbers (in databases, logs, files, backup media,
etc.) stored securely for example, by means of
encryption or truncation? 3.6 Are account numbers
sanitized before being logged in the audit log?
25
Sample Questions (cont)
4.1 Are transmissions of sensitive cardholder
data encrypted over public networks through the
use of SSL or other industry acceptable
methods? 4.2 If SSL is used for transmission of
sensitive cardholder data, is it using version
3.0 with 128-bit encryption? 4.5 Is encryption
used in the transmission of account numbers via
e-mail?
26
Sample Questions (cont)
5.1 Is there a virus scanner installed on all
servers and on all workstations, and is the virus
scanner regularly updated?
27
Sample Questions (cont)
7.1 Is access to payment card account numbers
restricted for users on a need-to-know basis?
28
Sample Questions (cont)
8.1 Are all users required to authenticate using,
at a minimum, a unique username and password? 8.2
If employees, administrators, or third parties
access the network remotely, is remote access
software (such as PCAnywhere, dial-in, or VPN)
configured with a unique username and password
and with encryption and other security features
turned on? 8.3 Are all passwords on network
devices and systems encrypted? 8.4 When an
employee leaves the company, are that employees
user accounts and passwords immediately
revoked? 8.5 Are all user accounts reviewed on a
regular basis to ensure that malicious,
out-of-date, or unknown accounts do not exist?
8.6 Are non-consumer accounts that are not used
for a lengthy amount of time (inactive accounts)
automatically disabled in the system after a
pre-defined period?
29
Sample Questions (cont)
8.7 Are accounts used by vendors for remote
maintenance enabled only during the time needed?
8.8 Are group, shared, or generic accounts and
passwords prohibited for non-consumer users? 8.9
Are non-consumer users required to change their
passwords on a predefined regular basis? 8.10 Is
there a password policy for non-consumer users
that enforces the use of strong passwords and
prevents the resubmission of previously used
passwords? 8.11 Is there an account-lockout
mechanism that blocks a malicious user from
obtaining access to an account by multiple
password retries or brute force?
30
Sample Questions (cont)
9.1 Are there multiple physical security controls
(such as badges, escorts, or mantraps) in place
that would prevent unauthorized individuals from
gaining access to the facility? 9.2 If wireless
technology is used, do you restrict access to
wireless access points, wireless gateways, and
wireless handheld devices? 9.3 Are equipment
(such as servers, workstations, laptops, and hard
drives) and media containing cardholder data
physically protected against unauthorized access?
31
Sample Questions (cont)
9.4 Is all cardholder data printed on paper or
received by fax protected against unauthorized
access? 9.5 Are procedures in place to handle
secure distribution and disposal of backup media
and other media containing sensitive cardholder
data? 9.6 Are all media devices that store
cardholder data properly inventoried and securely
stored? 9.7 Is cardholder data deleted or
destroyed before it is physically disposed (for
example, by shredding papers or degaussing backup
media)?
32
Sample Questions (cont)
12.1 Are information security policies, including
policies for access control, application and
system development, operational, network and
physical security, formally documented? 12.2 Are
information security policies and other relevant
security information disseminated to all system
users (including vendors, contractors, and
business partners)? 12.3 Are information
security policies reviewed at least once a year
and updated as needed? 12.4 Have the roles and
responsibilities for information security been
clearly defined within the company? 12.5 Is
there an up-to-date information security
awareness and training program in place for all
system users? 12.6 Are employees required to
sign an agreement verifying they have read and
understood the security policies and procedures?
33
Sample Questions (cont)
12.7 Is a background investigation (such as a
credit- and criminal-record check, within the
limits of local law) performed on all employees
with access to account numbers? 12.8 Are all
third parties with access to sensitive cardholder
data contractually obligated to comply with card
association security standards? 12.9 Is a
security incident response plan formally
documented and disseminated to the appropriate
responsible parties? 12.10 Are security
incidents reported to the person responsible for
security investigation? 12.11 Is there an
incident response team ready to be deployed in
case of a cardholder data compromise?
34
Proposed Requirements for University Units that
Accept Payment Cards

• Units must comply with all Payment Card Industry
  Data Security Standard (PCI DSS) requirements.
  Any exceptions must be approved by the
  Controllers Office, based on the Universitys
  payment card processor accepting alternate
  control measures.

35
Proposed Requirements (cont)

• Simplified compliance requirements apply to units
  that use only  
• Non-internet-attached card-swipe systems
• Paper-based payment card processes, or
• Centrally provided (webCredit) payment card
  processing with no unit-based electronic storage
  of payment card numbers.

36
Proposed Requirements (cont)

• Units must obtain Controllers Office approval
  before
• Developing or purchasing computer-based systems
  that store or process payment card data
• Contract with a payment card acceptance/processing
  entity outside the University
• Store cardholder data that includes payment card
  numbers on unit-controlled networked systems
  (including but not limited to storage in
  spreadsheets, word processing documents, imaging
  systems, networked fax servers, etc.)

37
Proposed Requirements (cont)

• Every merchant unit must 
• Perform a risk assessment for payment card
  operations at least once per year, or when
  procedures or technology change.
• Respond to periodic questionnaires or surveys
  when requested by the Controllers Office, to
  confirm your units ongoing PCI DSS compliance.
• Document who (positions or persons) is
  responsible for payment card data security in the
  unit.
• Have written operational procedures for payment
  card acceptance and related processes.

38
Proposed Requirements (cont)

• Every merchant must
• Review and update, as needed, all required
  payment card related policies, procedures and
  documentation, at least once per year.
• Define, in writing, security responsibilities for
  all employees and contractors who have access to
  payment card data.
• Educate all employees about the importance of
  cardholder data security at inception of duties
  involving cardholder data, and on an ongoing
  basis.
• Require employees to acknowledge in writing that
  they have read understood University and
  departmental payment card data security policies
  procedures.

39
Proposed Requirements (cont)

• Every merchant must
• Screen employees, contractors, or volunteers who
  will have access to more than one card number at
  a time. (Note University background checks for
  regular employees are sufficient to meet this
  requirement units who involve student or other
  employees are responsible for screening.)
• Remove access to payment card related systems or
  data immediately when employees, contractors or
  volunteers cease duties related to payment card
  processing.
• Prohibit use of wireless communications to access
  payment-card-related computer systems.

40
Proposed Requirements (cont)

• Every merchant must
• Prohibit solicitation of payment card data from
  customers by e-mail
• Appropriately secure all records that include
  payment cardholder data, including physical
  security of paper materials.
• Report any potential exposure (to unauthorized
  parties) or loss of cardholder data to CO
  immediately.
• Contractually require third parties with access
  to cardholder data to adhere to PCI DSS
  requirements.
• Assume responsibility for payment card industry
  financial penalties that may arise out of unit
  non-compliance with PCI DSS requirements.

41
Proposed Requirements (cont)

• Units with computer-based systems that store or
  process payment card data must additionally 
• Complete a full PCI DSS self-assessment
  questionnaire annually.
• Submit to and pay for vulnerability scanning of
  payment-card systems as required by PCI DSS.
• Maintain payment-card-related systems on a
  subnetwork segmented to limit scanning
  requirements to appropriate unit-based systems.
  (Network configuration guidance is available from
  Academic Computing Network Services Network
  Security group.)

42
Proposed Requirements (cont)

• Units with computer-based systems that store or
  process payment card data must additionally
• Obtain Controllers Office approval for
  significant changes of configuration of payment
  card processing or storage hardware, software or
  network.
• Review PCI DSS requirements in full, and comply
  with all PCI DSS requirements applicable to their
  technical and systems management environment. Any
  exceptions must be approved by the Controllers
  Office, based on the Universitys credit card
  processor accepting alternate control measures.

43
Proposed Requirements (cont)

• Units that contract with a payment card
  acceptance/processing entity outside the
  University must ensure, via contract provisions,
  that that entity is compliant with PCI DSS
  requirements.

44
Web Sites of Interest

• Payment Card Industry Data Security Standards
  http//usa.visa.com/download/business/accepting_vi
  sa/ops_risk_management/cisp_PCI_Data_Security_Stan
  dard.pdf
• PCI Self-Assessment Questionnaire
  https//sdp.mastercardintl.com/pdf/758_PCI_Self_As
  smnt_Qust.pdf
• VISA Security Information web site
• http//www.visa.com/cisp
• Managing Sensitive Data Initiative web site
• http//lct.msu.edu/security
• Ambiron TrustWave
• http//www.atwcorp.com/

45
Contact Information

• Contract review/questions, business office
  practices
• Mary Nelson, Controllers Office
• 355-5023, ext 150 or nelsonm_at_ctlr.msu.edu
• Questions about webCredit
• 353-4420, ext 311 or webcredit_at_ais.msu.edu
• Network configuration and security
• Joe Budzyn, ACNS
• 432-7448 or budzyn_at_msu.edu
• Audit Concerns
• Rob Humphrey
• 355-5030 or humphr70_at_msu.edu

46
Questions?