Protect Payment Card Information (PCI-DSS)
The Payment Card Industry (PCI) has created requirements for protecting payment card information. The University and all units that process payment card data have a contractual obligation to adhere to the Payment Card Industry Security Standard (PCI-DSS). The Payment Card Compliance Office and University Information Security (UIS) are working with departments to assist with compliance.
Scope is the definition of where the PCI Data Security Standards (PCI-DSS) must be applied. Items in-scope include any system or device which processes, stores, transmits, or has the ability to impact the security of cardholder data.
PCI scope will ultimately be determined through the change request process.
From the ISACA (Information Systems Audit and Controls Association) you can download the PCI Scoping Toolkit (PDF) for more background on scoping. This framework helps to provide classification of components to narrow in on which PCI-DSS controls are required for each device and system.
- Processing - when cardholder data is actively being used by a system component (e.g., entered, edited, manipulated, printed, viewed)
- Storing - when cardholder data is inactive or at rest (e.g., located on electronic media, system component memory, paper)
- Transmits - when cardholder data is being transferred from one location to another (e.g., data in motion)
Categorizing system components assists with scoping and every system can be placed into one and only one of the following:
- Category 1 - Systems/devices that process, store or transmit cardholder data or are not isolated or restricted through controlled access from other Category 1 system components
- Category 2 - System components that have controlled access to a Category 1 system component. These systems have the ability to impact the security of Category 1 devices.
- Category 3 - System components that are isolated from all Category 1 system components
Point-to-Point Encryption (P2Pe) and Scope Reduction
Point-to-Point Encryption solutions can reduce the scope of the credit card environment. Each P2Pe solution must be carefully vetted to ensure that the implementation does indeed reduce the scope. Contact the Payment Card Compliance Office to begin the process.
PCI In-Scope Documentation Requirements
- Change request and approval - Contact the Payment Card Compliance Office to notify them of new merchants or changes to credit card processing for existing merchants. These must be approved by the Payment Card Compliance Office before changes are made to the credit card processing environment.
- Network and data flow diagrams - Develop or update your network diagram to show all connections to the cardholder data environment. Network and data flow diagrams should include printers, virtual system components and document Intra-host data flows. See example. Review and update annually and before significant change.
- Asset list - Document all Category 1 and 2 system devices including IP, DNS, OS/iOS version, and physical location. Review and update annually and before significant change.
- Hardening/configuration standard - Document the standards you’ll use to build and configure the device/server including base OS, allowed ports with supporting business reason, security settings, an OS or software firewall, other software, and removal of defaults. Send this information to University Information Security (UIS) at email@example.com to before you configure your device(s) and add them to the University Cardholder Data Environment (CDE). See Information Security Standards in the Information Security Policy.
- Procedures - Document how you control access management and review, encryption keys, patch and vulnerability management, physical security, change control, firewall reviews, software development lifecycle (SDLC) and unit incident response. This documentation should be stored in the CampusGuard Portal. Review and update annually and before significant change.
PCI In-Scope Operations
- Review the PCI Data Security Standard (PCI-DSS) - Examine the current PCI-DSS and new releases as they are available. Work with your area to meet the requirements. The PCI-DSS requirements are control objectives that need to be met by Category 1 and 2 system components.
- Review University Policies - Read
- Acceptable Use of Information Technology Resources,
- Reporting and Notifying Individuals of Information Security Breaches,
- Information Security Standards in the Information Security Policy along with
- Accepting Revenue via Payment Cards.
- Complete the PCI Self-Assessment Questionnaire (SAQ) for your area - Contact the Payment Card Compliance Office for assistance with determining which SAQ best applies to your payment card environment. Complete the SAQ.
- Review and update documentation - Annually and upon significant change, review your documentation to ensure it is up to date and accurate. Within the document, show the last date of review and the parties involved.
- Follow documented standards and procedures - Ensure your system components match the documented hardening and configuration standards. Follow procedures for maintaining your environment.
- Review firewall rules bi-annually - At least every six months, review the firewall rules protecting your secure credit card vlan to ensure they are configured to provide the least access necessary for business. See PCI Firewall Review Procedure for more information.
- Engage in internal vulnerability scans and remediation - Internal vulnerability scans will be run on a regular basis using the Qualys internal scanner. See Qualys Scanning for PCI Devices Procedure for more information.
- Engage in external vulnerability scans and remediation - External vulnerability scans by an approved PCI scan vendor will be run on a regular basis. See External Vulnerability Scan Procedure (PDF) for more information.
- Engage in Penetration Testing - Penetration tests will be performed annually or upon completion of significant change. The Payment Card Compliance Office will work with the Merchant Manager on the process.
Frequently Asked Questions
How to request access to the PCI VPN?
For instructions on how to request access to the PCI VPN, see KnowledgeBase article KB0017810. When your account needs to provide IT administrative functions to systems in the credit card environment. No credit card information can be accessed, stored or processed using this access. This access must adhere to the full PCI-DSS requirements.
How to connect to the PCI VPN?
For instructions on how to connect to the PCI VPN, see Knowledgebase article KB0017814.
What information is needed to develop a firewall rule?
When making firewall rule requests, you need to provide six (6) pieces of information to University Information Security:
- Source IP/range
- Source port
- Destination IP/range
- Destination port
- Protocol (TCP/UDP)
- Business reason for the rule and documentation to support the requirement.
Firewall rule requests will be evaluated for impact and security by UIS, and the Payment Card Compliance Office where PCI scope may be impacted. It may take up to five (5) business days to properly assess the change and provide approval before the change can be applied to your firewall(s).
When reporting connectivity problems:
Work with your technical support staff that provides support for your operations, and send an email to firstname.lastname@example.org.
Please provide as much of the below information as you are able:
- Source IP
- Destination IP
- Type of traffic attempted (SSH connection, HTTP connection, etc)
- Time/date of the attempt
- Time/date of identification of the issue
Can other servers be put in the secure credit card vlan?
For management reasons, this will not be allowed as it increases the scope for PCI. Servers in the secure credit card vlan must meet all PCI-DSS requirments.
What steps should be followed when decommissioning a device involved in credit card processing?
- Securely wipe or physically destroy the hard drive.
- Email email@example.com (University Information Security) and firstname.lastname@example.org (University PCI Compliance/Controller's Office) the following:
- IP address
- Mac Address
- Network Jack location of the device *
- Reason for decommissioning (e.g, completed UM1705 form stating no longer processing)
- Secure Data Deletion Process:
- Method used
- Date completed
- Completed by
- Merchant Account #/Merchant Manager
- Firewall Rule Change, if applicable
- Update your PCI asset list and your network diagram
- Update your Qualys asset group
* If the network jack will no longer be used for credit card processing, include the MID that University Information Security should transfer the jack to.
After receiving this information, University Information Security will work with you and the Controller's Office to complete the decommissioning process.
Can I use wireless in my credit card processing environment?
Use of wireless for credit card processing is not allowed without prior approval from the Payment Card Compliance Office. For departments that must use wireless, see the PCI Self-Assessment Questionnaire for how to secure.
Resources & Links
- See the PCI Security Standards Council web site for the following:
- University Policies:
- Accepting Revenue Via Payment Cards
- Information Security Standards in the Information Security Policy
- Acceptable Use of Information Technology Resources
- Reporting and Notifying Individuals of Information Security Breaches
- Encrypting Stored Data
- Secure Data Deletion
- Information on Accepting Credit Cards - Payment Card Compliance Office (email@example.com)
- Open PCI Scoping Toolkit - ISACA