Payment Card Information Consultation

The Payment Card Compliance Office and University Information Security (UIS) work with departments to assist with compliance with the Payment Card Industry Data Security Standard (PCI DSS). Units are responsible for protecting payment card information and compliance with PCI DSS.

Pre-Approved Solutions

  • Destiny One
  • CyberSource Payment Gateway
  • Authorize.net
  • Clover Payment Terminals
  • Drupal + CyberSource or Authorize.net
  • estore

Scope

Scope is the definition of where the PCI Data Security Standards (PCI DSS) must be applied. Items in-scope include any system or device which processes, stores, transmits, or has the ability to impact the security of cardholder data.

PCI scope will ultimately be determined through the change request process.

Examples:

  • Processing - when cardholder data is actively being used by a system component (e.g., entered, edited, manipulated, printed, viewed)
  • Storing - when cardholder data is inactive or at rest (e.g., located on electronic media, system component memory, paper)
  • Transmits - when cardholder data is being transferred from one location to another (e.g., data in motion)

Categorizing system components assists with scoping and every system can be placed into one and only one of the following:

  • Category 1 - Systems/devices that process, store or transmit cardholder data or are not isolated or restricted through controlled access from other Category 1 system components
  • Category 2 - System components that have controlled access to a Category 1 system component. These systems have the ability to impact the security of Category 1 devices.
  • Category 3 - System components that are isolated from all Category 1 system components

 

credit card processing scope graphic

Point-to-Point Encryption (P2Pe) and Scope Reduction

Point-to-Point Encryption solutions can reduce the scope of the credit card environment. Each P2Pe solution must be carefully vetted to ensure that the implementation meets the requirements for compliance scope reduction. Contact the Payment Card Compliance Office to begin the process.

PCI Documentation Requirements

  • Change request and approval - Contact the Payment Card Compliance Office to notify them of new merchants or changes to credit card processing for existing merchants. These must be approved by the Payment Card Compliance Office before changes are made to the credit card processing environment.
  • Network and data flow diagrams - Develop or update your network diagram to show all connections to the cardholder data environment. Network and data flow diagrams should include printers, virtual system components and document Intra-host data flows. See example. Review and update annually and before significant change.
  • Asset list - Document all Category 1 and 2 system devices including IP, DNS, OS/iOS version, and physical location. Review and update annually and before significant change.
  • Hardening/configuration standard - Document the standards you’ll use to build and configure the device/server including base OS, allowed ports with supporting business reason, security settings, an OS or software firewall, other software, and removal of defaults. Send this information to University Information Security (UIS) at [email protected] before you configure your device(s) and add them to the University Cardholder Data Environment (CDE). See Information Security Standards in the Information Security Policy.
  • Procedures - Document how you control access management and review, encryption keys, patch and vulnerability management, physical security, change control, firewall reviews, software development lifecycle (SDLC) and unit incident response. This documentation should be stored in the CampusGuard Portal. Review and update annually and before significant change.

PCI In-Scope Operations

Frequently Asked Questions

How to request access to the PCI VPN?

For instructions on how to request access to the PCI VPN, see the Request Access to the PCI VPN Knowledge Base article. When your account needs to provide IT administrative functions to systems in the credit card environment. No credit card information can be accessed, stored or processed using this access. This access must adhere to the full PCI DSS requirements.

How to connect to the PCI VPN?

For instructions on how to connect to the PCI VPN, see the Connect to the PCI VPN Knowledge Base article.

What information is needed to develop a firewall rule?

When making firewall rule requests, you need to provide six (6) pieces of information to University Information Security:

  1. Source IP/range
  2. Source port
  3. Destination IP/range
  4. Destination port
  5. Protocol (TCP/UDP)
  6. Business reason for the rule and documentation to support the requirement.

Firewall rule requests will be evaluated for impact and security by UIS, and the Payment Card Compliance Office where PCI scope may be impacted. It may take up to five (5) business days to properly assess the change and provide approval before the change can be applied to your firewall(s).

When reporting connectivity problems:

Work with your technical support staff that provides support for your operations, and send an email to [email protected].

Please provide as much of the below information as you are able:

  1. Source IP
  2. Destination IP
  3. Type of traffic attempted (SSH connection, HTTP connection, etc)
  4. Time/date of the attempt
  5. Time/date of identification of the issue

Can other servers be put in the secure credit card vlan?

For management reasons, this will not be allowed as it increases the scope for PCI. Servers in the secure credit card vlan must meet all PCI DSS requirements.

What steps should be followed when decommissioning a device involved in credit card processing?

  1. Securely wipe or physically destroy the hard drive.
  2. Email [email protected] (University Information Security) and [email protected] (University PCI Compliance/Controller's Office) the following:
    • IP address
    • Mac Address
    • Network Jack location of the device *
    • Reason for decommissioning (e.g., completed UM1705 form stating no longer processing)
    • Secure Data Deletion Process:
      • Method used
      • Date completed
      • Completed by
    • Merchant Account #/Merchant Manager
    • Firewall Rule Change, if applicable
  3. Update your PCI asset list and your network diagram
  4. Update your InsightVM site and assets

* If the network jack will no longer be used for credit card processing, include the MID that University Information Security should transfer the jack to.

After receiving this information, University Information Security will work with you and the Controller's Office to complete the decommissioning process.

Can I use wireless in my credit card processing environment?

Use of wireless for credit card processing is not allowed without prior approval from the Payment Card Compliance Office. For departments that must use wireless, see the PCI Self-Assessment Questionnaire for how to secure.