Transcript PCI Compliance - University of Nevada, Reno

PCI Compliance Training
University of Nevada,
Reno
Presented by
The Controller’s Office
1
PCI Compliance
In 2008, UNR reached an e commerce transaction volume
threshold requiring the university to follow the Payment Card
Industry Data Security Standards (PCI-DSS). In response to this
requirement, UNR has developed an information security policy
related to credit card processing by university departments.
This training will provide you with an over view of the policies and
procedures you must follow in order to continue to receive
payments via credit card.
2
What is PCI Compliance?
The PCI-DSS Program is a mandated set of security standards
created by the major credit card companies to offer merchants
and service providers a complete, unified approach to
safeguarding cardholder data for all credit card brands.
The PCI-DSS requirements apply to all payment card network
members, merchants and service providers that store, process or
transmit cardholder data.
The requirements apply to all methods of credit card processing,
the most comprehensive and demanding of which apply to
e commerce websites, and retail POS systems that process credit
cards over the Internet.
3
PCI Compliance – Policy Roles and
Responsibilities
All employees, contractors, vendors and third-parties that
use, maintain or handle UNR information assets must
follow this policy. The following university positions and
departments have responsibilities related to the development,
monitoring and enforcement of this policy.
Chief Information and Chief Security Officers - The Chief
Information Officer, Steve Zink, is responsible for coordinating and
overseeing UNR’s compliance regarding the confidentiality,
integrity and security of its information assets. The Chief Security
Officer, Jeff Springer, works closely with the Chief Information
Officer and other UNR managers and staff involved in securing the
university’s information assets to enforce established policies,
identify areas of concern, and implement appropriate changes as
needed.
4
PCI Compliance – Policy Roles and
Responsibilities
Network Security Department - The Network Security
Department works with department system managers,
administrators and users to develop security policies, standards
and procedures to help protect the assets of UNR.
IT Critical Systems Group - UNR IT Critical Systems Group is the
direct link between information security policies and the
network, systems and data.
Human Resources - The Human Resources Department will,
when requested by the department, perform background checks
including pre-employment, criminal, and credit history on all
potential employees who will have access to systems, networks,
or data that contain credit card information.
5
PCI Compliance –Policy Roles and
Responsibilities
University Departments –
 Departments are responsible for ensuring that reference checks
are done on all classified and professional employees hired.
 Departments will request that Human Resources conduct
background checks including pre-employment, criminal, and
credit history on all potential employees who will have access to
systems, networks, or data that contain credit card information.
 Departments will enter termination information into the
Employee Separation Notification form on the HR website which
generates an email sent to the notification group which notifies
Computing and Telecommunications when any employee is
terminated. This will result in the employees’ access being
terminated for all university PCI systems.
6
PCI Compliance – Policy Roles and
Responsibilities
BCN Purchasing Department – The Purchasing Department will
ensure third parties, with whom cardholder data is shared, are
contractually required to adhere to the PCI-DSS requirements
and to acknowledge they are responsible for the security of the
cardholder data which they process.
Controller’s Office – The Controller’s Office will verify that all
employees responsible for processing credit card payments
attend a security awareness training upon hire and at least
annually. If training is not completed, then the department’s
merchant number will be deactivated.
7
PCI Compliance – Policy Roles and
Responsibilities
Each user of UNR computing and information resources must realize
the fundamental importance of information resources and
recognize their responsibility for safekeeping those resources. The
following are specific responsibilities of all UNR information
system users:
 Understand what the consequences of their actions are with regard
to computing security practices and act accordingly. Embrace the
“Security is everyone’s responsibility” philosophy to assist UNR in
meeting its business goals.
 Maintain awareness of the contents of the information security
policies.
 Employees must read and sign the UNR Security Awareness and
Acceptable Use Policy and accept the Campus Use Agreement
during the NetID activation process and annually thereafter.
 All users must accept the Campus Use Agreement during the NetID
activation process.
8
PCI Compliance – Data Access
General Access
All confidential or sensitive data must be protected via access
controls to ensure that data is not improperly disclosed,
modified, deleted or rendered unavailable.
Employees will only be authorized to view information based on
what is required to perform their job.
9
PCI Compliance – Data Access
Data Access Request Process-PCI Network
 As part of the PCI compliance process at UNR a separate PCI
network has been established to process credit card transactions
for certain campus software applications such as the WolfCard
and the bookstore. Employees needing access to this network
will be required to complete an additional security application
and have a separate login and password.
 Shared or group user IDs are never permitted for user-level
access.
 Every user must use a unique user ID and a personal secret
password for access to UNR information systems and networks.
10
Credit Card Processing
Methods of accepting credit card numbers
Departments may receive credit card numbers by phone, fax or
mail. After the authorization for the charge is received the credit
card number must be shredded or if retained, it must be kept in
a locked, secure location and shredded after 120 days.
Only employees with a business need to know should have
access to the stored receipts.
Credit card numbers may not be received via email, this is not a
secure transmission method. If an email is received do not
process the payment. Respond to the sender that the payment
cannot be processed through an email request. Make sure the
credit card number does not appear in your response.
Immediately delete the original email containing the credit card
number.
11
Credit Card Processing
Methods of Processing credit card transactions:
 Using credit card terminals that are connected to the bank via an
analog phone line or an IP connection.
 A website hosted by the university where the credit card
payment is made via a third party processor, such as
Authorize.net.
 A website hosted by a third party.
Manual credit card machines that make an imprint of the credit
card are not allowed.
Use of credit card terminals off campus for special events must be
connected via an analog phone line to be PCI compliant.
Departments are not allowed to enter a credit card number using a
UNR computer unless the computer is dedicated for this purpose
only and has been set up by Network Security in the PCI
network.
12
Credit Card Processing
PCI rules and procedures apply to university pcards and
transactions between departments. University pcard numbers
may not be stored in any electronic format, but may be stored on
a hard copy which is kept in a locked, secure location.
NRS 597.945 prohibits a business from printing more than the last
5 digits of a credit card number on any copy of the receipt. All
departments should have been contacted by Wells Fargo Bank in
December 2009 or January 2010 to modify existing or replace
existing credit card terminals so that they meet this requirement.
13
Incident Response Plan and
Procedures
Incident Identification
Employees must be aware of their responsibilities in detecting
security incidents to facilitate the incident response plan and
procedures. All employees have the responsibility to assist in the
incident response procedures within their particular areas of
responsibility. Some examples of security incidents that an
employee might recognize in their day to day activities include,
but are not limited to:
 Theft, damage, or unauthorized access (e.g., unauthorized logins,
papers missing from their desk, broken locks, missing log files, alert
from a security guard, video evidence of a break-in or
unscheduled/unauthorized physical entry)
 Fraud – Inaccurate information within databases, logs, files or paper
records
14
Incident Response Plan and
Procedures
Incident Identification (continued)
 Abnormal system behavior (e.g., unscheduled system
reboot, unexpected messages, abnormal errors in system
log files or on terminals).
 Security event notifications (e.g., file integrity alerts,
intrusion detection alarms, and physical security
alarms).
 All employees, regardless of job responsibilities, should
be aware of the potential incident identifiers and who to
notify in these situations.
15
Incident Response Plan and
Procedures
With the exception of steps outlined below, it is imperative that
any investigative or corrective action be taken only by Network
Security Department personnel to assure the integrity of the
incident investigation and recovery process. When faced with a
potential situation you should do the following:
If the incident involves a compromised computer system.
 Do not alter the state of the computer system.
 The computer system should remain on and all currently
running computer programs left as is. Do not shutdown the
computer or restart the computer.
16
Incident Response Plan and
Procedures
 Immediately disconnect the computer from the network by
removing the network cable from the back of the
computer.
 Document any information you know while waiting for the
Network Security Department to respond to the incident.
If known, this must include date, time, and the nature of
the incident. Any information you can provide will aid in
responding in an appropriate manner.
17
Incident Response Plan and
Procedures
Reporting and Incident Declaration Procedures
 The Network Security Department should be notified
immediately of any suspected or real security incidents involving
UNR computing assets. If it is unclear as to whether a situation
should be considered a security incident, the Network Security
Department should be contacted to evaluate the situation.
 No one should communicate with anyone outside of their
supervisor(s) or the Network Security Department about any
details or generalities surrounding any suspected or actual
incident. All communications with law enforcement or the
public will be coordinated by the Network Security Department
to the Vice President for Information Technology who will notify
the President’s Office.
18
Data Retention Policies
Retention Requirements
 Cardholder data for all transactions should be kept for 120 days.
This applies to all cardholder data retained in any kind of format.
 Cardholder data utilized for recurring transactions may be
retained for the lifetime of the customer’s account with UNR.
Once a customer’s account is disabled or terminated, all the
cardholder data for that account must be purged within 120 days
of the termination using an approved destruction method.
 Cardholder “authorization data”, including track, CVV2, and PIN
information, may be retained only until completion of the
authorization of a transaction. After authorization, the data
must be deleted according to an approved disposal process
described in the following section. Storage of cardholder
authentication data post-authorization is forbidden.
19
Data Retention Policies
Hardcopy and Electronic Media
 Confidential or sensitive information, including credit card
information, must never be copied onto removable media
without authorization from the Network Security
Department.
 At no time are hardcopy or electronic media containing
confidential or sensitive information to be removed from any
UNR secure office environment.
 The credit card number may not be kept in any electronic
format, including Excel spreadsheets or USB thumb drives.
 All hardcopy documents containing credit card information
currently in on or off-campus storage that are older than 3 years
should be shredded. At the end of each of the next 3 years the
oldest year’s documents should be shredded so that at the end of
the 3 year period all credit card documents will be retained for a
period of 120 days only.
20
Data Disposal Policy
Hardcopies (paper receipts, paper reports, and faxes): should be crosscut shredded, incinerated, or pulped. A record must be maintained
that indicates the records disposed of and the date of disposal.
Before computer or communications equipment can be sent to a
vendor for trade-in, servicing or disposal, all confidential or
sensitive information must be destroyed or removed according to
the approved methods in this policy.
Outsourced destruction of media containing confidential or sensitive
information must use a bonded Disposal Vendor that provides a
“Certificate of Destruction”.
If your department is involved in an audit, investigation, or litigation
all destruction of records in your custody must cease. When you
are notified that the audit, investigation or litigation is ended or
resolved you may destroy documents according to this policy.
21
PCI Compliance - Inventory
A Media Inventory Log (Appendix D) is to be kept in all secure
media (hardcopy and electronic) storage locations.
Electronic Media - All stored electronic media containing
confidential or sensitive information must be inventoried at least
annually by the Network Security Department. At this time, the
security controls on the storage mechanism will be checked.
Upon completion of the inventory the log will be updated.
Hardcopy Media - All stored hardcopy media containing PCI data
must be inventoried at least annually by the Campus
Department and the Media Inventory Logs must be submitted to
the Controller’s Office who will verify that all the required logs
have been completed. The Controller’s Office will submit the
forms to Campus Auditors. At this time, the Campus Auditors
will check security controls on the storage mechanism and
review and approve the log.
22
PCI Compliance - Summary
All departments and department employees that accept payment
via credit card must be aware of and follow the University’s
information security policy and must attend training on the
policy annually.
Credit card data is confidential data and access to this data should
be limited and granted only on a business need to know basis.
This access should be terminated whenever an employee changes
job duties or terminates employment.
Before a web application may be established to accept credit
card payments, the department must obtain approval in
writing from the Network Security Department – Jeff
Springer 784-8247 ([email protected]) and Rhonda Dome at
784-4297 or Renee Reed at 784-3573.
23
PCI Compliance - Summary
Credit card data is sensitive and confidential and should only be
retained as required for business purposes and must be deleted
after 120 days.
Credit card data may not be kept in any electronic format unless
the format and method of storage has prior approval from the
UNR Network Security Department.
When credit card data is no longer needed or after 120 days,
whichever comes first, the data must be deleted using an
approved method such as sanitizing, incinerating, pulverizing or
shredding. The Network Security Department can provide
assistance with data destruction if needed.
24
PCI Compliance - Summary
Before computer or communications equipment can be sent to a
vendor for trade-in, servicing or disposal, all confidential or
sensitive information must be destroyed or removed according to
approved removal methods.
If your department is involved in an audit, investigation, or
litigation all destruction of records in your custody must cease.
When you are notified that the audit, investigation or litigation
is ended or resolved you may destroy documents according to
this policy.
25
Contacts
 Philomena McCaffrey:
 Email: [email protected]
 Phone: 784-4176
 Rhonda Dome
 Email: [email protected]
 Phone: 784-4297
 Renee Reed
 Email: [email protected]
 Phone: 784-3573
26