Control Objective
|
Requirement
|
| Build and Maintain a Secure Network and Systems - W&M Information Technology and VIMS Information Technology are responsible for ensuring compliance with these requirements. |
Requirement 1 - Install and maintain network security controls.
- Implement network security controls (NSCs) that protect the cardholder data environment from unauthorized access from untrusted networks.
Requirement 2 – Apply secure configurations to all system components.
- Always change the vendor-supplied defaults before you install a system on the network (e.g., passwords, SNMP community strings, and elimination of unnecessary accounts.)
- Configure system security parameters to prevent misuse.
|
| Protect Account Data – Each department, W&M Information Technology and VIMS Information Technology are responsible for ensuring compliance for these requirements. |
Requirement 3 – Protect stored account data.
- Do not store sensitive authentication data subsequent to authorization (not even if encrypted).
- Keep cardholder information storage to a minimum.
- Limit your storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.
- Do not store full contents of any track from the magnetic stripe (on the back of a card, in a chip, etc.)
- Do not store the card-validation code, three digit or four digit value printed on the front or back of a payment card, e.g., CVV2 and CVC2 data or the PIN Verification Value (PVV).
- Mask account numbers when displayed (the first six and last four digits are the maximum number of digits to be displayed.
Requirement 4 – Protect cardholder data with strong cryptography during transmission over open, public networks.
- Never send cardholder information via unencrypted email.
- Use strong cryptography and encryption to safeguard sensitive cardholder data during transmission over public networks.
|
| Maintain a Vulnerability Management Program - W&M Information Technology and VIMS Information Technology are responsible for ensuring compliance for these requirements. |
Requirement 5 – Protect all systems and networks from malicious software.
- Deploy anti-virus mechanisms on all systems commonly affected by viruses (e.g., PCs and servers)
- Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs.
Requirement 6 – Develop and maintain secure systems and software.
- Ensure that all system components and software have the latest vendor-supplied security patches.
- Install relevant security patches within one month of release.
- Establish a process to identify newly discovered security vulnerabilities (e.g., subscribe to alert services freely available on the Internet.)
- Develop software applications based on industry best practices and include information security throughout the software development lifecycle.
- Follow change control procedures for all systems and software configuration changes.
- Develop web software and applications based on secure coding guidelines such as the Open Web Application Security Project guidelines.
|
| Implement Strong Access Control Measures - W&M Information Technology, VIMS Information Technology and each department are responsible for ensuring compliance for these requirements. |
Requirement 7 – Restrict access to system components and cardholder data by business need to know.
- Limit access to computing resources and cardholder information to only those individuals whose job requires such access.
- Establish a mechanism for systems with multiple users that restricts access based on a user’s need to know, and is set to "deny all" unless specifically allowed.
- Access is managed via an access control system(s).
Requirement 8 – Identify users and authenticate access to system components.
- Identify all users with a unique username before allowing them to access system components or cardholder data.
- Multi-factor authentication (MFA) is configured and implemented.
- Encrypt all passwords during transmission and storage, on all system components.
- Remove inactive user accounts at least every 90 days.
- Distribute password procedures and policies to all users who have access to cardholder information.
- Do not use group, shared, or generic accounts/passwords.
- Change user passwords at least every 90 days.
- Limit repeated attempts by locking out the user ID after not more than six attempts.
- Authenticate all access to any database containing cardholder information. This includes access by applications, administrators, and all other users.
Requirement 9 – Restrict physical access to cardholder data.
- Physically secure all paper and electronic media (e.g., computers, electronic media, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes) that contain cardholder information.
- Use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data.
- Restrict physical access to wireless access points, gateways, and handheld devices.
- Develop procedures to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder information is accessible.
- Make sure all visitors are authorized before entering areas where cardholder data is processes or maintained.
- Maintain strict control over the storage and accessibility of media that contains cardholder information:
- Properly inventory all media and make sure it is securely stored.
- Destroy media containing cardholder information when it is no longer needed for business or legal reasons:
- Cross-cut shred, incinerate or pulp hardcopy materials
- Purge, degauss, shred or otherwise destroy electronic media so that cardholder data cannot be reconstructed.
|
| Regularly Monitor and Test Networks - W&M Information Technology and VIMS Information Technology are responsible for ensuring compliance for these requirements. |
Requirement 10 – Log and monitor all access to system components and cardholder data.
Requirement 11 – Test security systems and networks regularly.
- Test security controls, limitations, network connections, and restrictions routinely to make sure they can adequately identify or stop any unauthorized access attempts.
- Identify and monitor wireless access points; address unauthorized wireless access points.
- Run internal and external network vulnerability scans at least quarterly and after any significant change in the network topology, firewall rule modifications, product upgrades).
- Perform penetration testing on network infrastructure and applications at least once a year and after any significant infrastructure or application upgrade or modification (e.g., operating system upgrade, sub-network added to environment, web server added to environment).
- Use network intrusion detection systems, host-based intrusion detection systems, and/or intrusion prevention systems.
|
| Maintain an Information Security Policy - W&M Information Technology, VIMS Information Technology and each department are responsible for ensuring compliance for this requirement. |
Requirement 12 – Support information security with organizational polices and programs.
- Ensure the security policy and procedures clearly define information security responsibilities for all employees and contractors.
- Make all employees aware of the importance of cardholder information security.
- Require employees to acknowledge in writing they have read and understood the company’s security policy and procedures.
- Implement an incident response plan. Be prepared to respond immediately to a system breach.
- Provide appropriate training to staff with security breach response responsibilities.
|
