PCI Data Security Standards
Section 3: Payment Card Industry Data Security Standards
Payment Card Industry Data Security Standards (PCI-DSS) are national standards from the Card Association and apply to all organizations anywhere in the country that process, transmit or store payment cardholder data. William & Mary and all departments that process payment card data have a contractual obligation to adhere to the PCI Data Security Standard. We must adhere to these standards to continue to process payments using payment cards and to protect our client’s data.
The current version of the standard specifies 12 requirements for compliance, organized into six related groups, which are called control objectives. All of these requirements revolve around securing the cardholder information, permitting access to the information only when there is a business need, and destroying the information in a secure manner. The control objective and associated requirements are:
3. 1 Build and Maintain a Secure Network and Systems
W&M Information Technology and VIMS Information Technology are responsible for ensuring compliance with these requirements.
Requirement 1 - Install and maintain network security controls.
- Implement network security controls (NSCs) that protect the cardholder data environment from unauthorized access from untrusted networks.
Requirement 2 – Apply secure configurations to all system components
- Always change the vendor-supplied defaults before you install a system on the network (e.g., passwords, SNMP community strings, and elimination of unnecessary accounts.)
- Configure system security parameters to prevent misuse.
Protect Account Data
W&M Information Technology, VIMS Information Technology and each department are responsible for ensuring compliance for these requirements.
Requirement 3 – Protect stored account data.
- Do not store sensitive authentication data subsequent to authorization (not even if encrypted).
- Keep cardholder information storage to a minimum.
- Limit your storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.
- Do not store full contents of any track from the magnetic stripe (on the back of a card, in a chip, etc.)
- Do not store the card-validation code, three digit or four digit value printed on the front or back of a payment card, e.g., CVV2 and CVC2 data or the PIN Verification Value (PVV).
- Mask account numbers when displayed (the first six and last four digits are the maximum number of digits to be displayed.
Requirement 4 – Protect cardholder data with strong cryptography during transmission over open, public networks.
- Never send cardholder information via unencrypted email.
- Use strong cryptography and encryption to safeguard sensitive cardholder data during transmission over public networks.
3. 2 Maintain a Vulnerability Management Program
W&M Information Technology and VIMS Information Technology are responsible for ensuring compliance for these requirements.
Requirement 5 – Protect all systems and networks from malicious software.
- Deploy anti-virus mechanisms on all systems commonly affected by viruses (e.g., PCs and servers)
- Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs.
Requirement 6 – Develop and maintain secure systems and software.
- Ensure that all system components and software have the latest vendor-supplied security patches.
- Install relevant security patches within one month of release.
- Establish a process to identify newly discovered security vulnerabilities (e.g., subscribe to alert services freely available on the Internet.)
- Develop software applications based on industry best practices and include information security throughout the software development lifecycle.
- Follow change control procedures for all systems and software configuration changes.
- Develop web software and applications based on secure coding guidelines such as the Open Web Application Security Project guidelines.
3.3 Implement Strong Access Control Measures
W&M Information Technology, VIMS Information Technology and each department are responsible for ensuring compliance for these requirements.
Requirement 7 – Restrict access to system components and cardholder data by business need to know.
- Limit access to computing resources and cardholder information to only those individuals whose job requires such access.
- Establish a mechanism for systems with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.
- Access is managed via an access control system(s).
Requirement 8 – Identify users and authenticate access to system components.
- Identify all users with a unique username before allowing them to access system components or cardholder data.
- Multi-factor authentication (MFA) is configured and implemented.
- Encrypt all passwords during transmission and storage, on all system components.
- Remove inactive user accounts at least every 90 days.
- Distribute password procedures and policies to all users who have access to cardholder information.
- Do not use group, shared, or generic accounts/passwords.
- Change user passwords at least every 90 days.
- Limit repeated attempts by locking out the user ID after not more than six attempts.
- Authenticate all access to any database containing cardholder information. This includes access by applications, administrators, and all other users.
Requirement 9 – Restrict physical access to cardholder data.
- Physically secure all paper and electronic media (e.g., computers, electronic media, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes) that contain cardholder information.
- Use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data.
- Restrict physical access to wireless access points, gateways, and handheld devices.
- Develop procedures to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder information is accessible.
- Make sure all visitors are authorized before entering areas where cardholder data is processes or maintained.
- Maintain strict control over the storage and accessibility of media that contains cardholder information:
- Properly inventory all media and make sure it is securely stored.
- Destroy media containing cardholder information when it is no longer needed for business or legal reasons:
- Cross-cut shred, incinerate, or pulp hardcopy materials
- Purge, degauss, shred, or otherwise destroy electronic media so that cardholder data cannot be reconstructed.
3.4 Regularly Monitor and Test Networks
W&M Information Technology and VIMS Information Technology are responsible for ensuring compliance for these requirements.
Requirement 10 – Log and monitor all access to system components and cardholder data.
Requirement 11 – Test security systems and networks regularly.
- Test security controls, limitations, network connections, and restrictions routinely to make sure they can adequately identify or stop any unauthorized access attempts.
- Identify and monitor wireless access points; address unauthorized wireless access points.
- Run internal and external network vulnerability scans at least quarterly and after any significant change in the network topology, firewall rule modifications, product upgrades).
- Perform penetration testing on network infrastructure and applications at least once a year and after any significant infrastructure or application upgrade or modification (e.g., operating system upgrade, sub-network added to environment, web server added to environment).
- Use network intrusion detection systems, host-based intrusion detection systems, and/or intrusion prevention systems.
3.5 Maintain an Information Security Policy
W&M Information Technology, VIMS Information Technology, and each department are responsible for ensuring compliance for this requirement.
Requirement 12 – Support information security with organizational polices and programs.
- Ensure the security policy and procedures clearly define information security responsibilities for all employees and contractors.
- Make all employees aware of the importance of cardholder information security.
- Require employees to acknowledge in writing they have read and understood the company’s security policy and procedures.
- Implement an incident response plan. Be prepared to respond immediately to a system breach.
- Provide appropriate training to staff with security breach response responsibilities.