Credit Card Processing

Below is information about credit card processing and the Payment Card Industry Data Security Standard (PCI-DSS).

Background

The Payment Card Industry (PCI) has created requirements for protecting payment card information, including information in computers which process and store credit card and other payment card information. These requirements became effective June 30, 2005 and the University must adhere to these standards to limit its liability and continue to process payments using payment cards.

Scope

All computers and electronic devices at the University of Minnesota involved in processing payment card data are impacted by the PCI Data Security Standard. This includes servers that store payment card numbers, workstations that are used to enter payment card information into a central system (e.g., ordering tickets over the phone), and any computers through which the payment card information is transmitted.

The University and all units that process payment card data have a contractual obligation to adhere to the  PCI Data Security Standard (PCI-DSS). The Payment Card Compliance Office and the Office of Information Technology (OIT) are working with departments to assure compliance.

The following actions are required to meet the Payment Card Industry requirements.

For Servers

For Desktops/Other Devices

Frequently Asked Questions

 

What information is needed to develop a firewall rule?

When making firewall rule requests, you need to provide 6 pieces of information to University Information Security:

  1. source IP/range
  2. source port
  3. destination IP/range
  4. destination port
  5. protocol (TCP/UDP)
  6. Business reason for the change

When reporting connectivity problems technical support staff need to provide the following to University Information Security

  1. source IP
  2. destination IP
  3. Type of traffic attempted (SSH connection, HTTP connection, etc)
  4. Time/date of the attempt

If we are unable to diagnose the problem by looking at the logs for traffic that was denied, University Information Security can arrange to have the logging level turned up temporarily on the network firewall to log all connections - connections that were allowed and connections that were denied.

Users should report connectivity issues to the technical support staff that provides support for their operations.

What group will be managing the FWSM's for the secure credit card vlan?

OIT will have to approve all changes. Send change requests to University Information Security at abuse@umn.edu

Can I run a host based firewall?

Yes, host/device based firewalls offer another layer of defense.

Will the ACLs for the secure credit card vlan drop packets based on protocol?

Yes, but do not anticipate doing this.

Can other servers be put in the secure credit card vlan?

For management reasons, this will not allowed as it increases the scope for PCI.  Servers in the secure credit card vlan must meet all PCI-DSS requirments.

What traffic will be allowed for all vlans?

DNS to the two main nameservers and NTP will be allowed by default, as will ICMP traffic for network maintenance. Access will be allowed for University Information Security scanners.

What steps should be followed when decommissioning a device involved in credit card processing?

  1. Securely wipe or physically destroy the hard drive
  2. Email abuse@umn.edu (University Information Security) and pmtcard@umn.edu (University PCI Compliance/Controller's Office) the following:
    • IP address
    • Mac Address
    • Network Jack location of the device *
    • Reason for decommissioning (e.g, completed UM1705 form stating no longer processing)
    • Secure Data Deletion Process:
    •     Method used
    •     Date completed
    •     Completed by
    • Merchant Account #/Merchant Manager
    • FWSM Firewall Rule Change, if applicable
  3. Update your PCI computer inventory and your network diagram
  4. Update your Qualys asset group

* If the network jack will no longer be used for credit card processing, include the MID that University Information Security should transfer the jack to.

After receiving this information, University Information Security will work with you and the Controller's Office to complete the decommissioning process.

What are some tips on how to secure the Web browser?

 

Resources & Links