System PCI DSS Policies

This page lists policies that apply to all System and university merchants in addition to what is included in the PCI DSS version 3.1 (summarized on the Payment Card Industry Data Security Standard page).

Data retention and disposal (requirement 3.1)
Cardholder data may only be retained to that which is required for business, legal, and/or regulatory purposes. Business requirements for cardholder data storage must be documented and submitted with the yearly Self-Assessment Questionnaire (SAQ). Cardholder data must be deleted/removed/expunged from any system according to the procedure set by the department's Records Disposal Authorization (RDA). If no RDA is currently on file with the University of Illinois Archivist, all records must be kept until the Archivist's new policy on record retention has been completed.

Departments must implement a quarterly procedure to remove, or review, stored cardholder data that has exceeded any retention requirement and is subject to removal. Cardholder data must be deleted/removed/expunged in a PCI DSS compliant manner.

This policy applies to all cardholder data both in electronic and paper format.

Sensitive authorization data (requirement 3.2)
Sensitive authentication data must never be stored after authorization. If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. Displaying PAN (Primary Account Number) (requirement 3.3)

The cardholder PAN (Primary Account Number) must be masked at all times unless there is a legitimate business need to see the full PAN. The first six and last four digits are the maximum number of digits to be displayed.

Strong cryptography (requirement 4.1)
Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, and so on) to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
  • Only trusted keys and certificates are accepted.
  • The protocol in use only supports secure versions or configurations.
  • The encryption strength is appropriate for the encryption methodology in use

Transmitting cardholder data (requirements 4.2.a and 4.2.b)
Never transmit or accept any cardholder data by email, chat, instant message, SMS, or any similar end-user messaging technology.

Security patch, anti-virus software, and vulnerability management (requirements 5.2.a and 6.1)
All system components, software, and anti-virus software must have the latest vendor-supplied security patches installed within one month of release. Virus definitions must be updated within 48 hours of release.

Merchant Card Services maintains a process to identify general security vulnerabilities, using reputable outside sources for security vulnerability information, and assigns a risk ranking (for example, as "high," "medium," or "low") to newly-discovered security vulnerabilities. Merchants must do the same for merchant-specific software.

Development of payment processing systems (requirement 6.3.2)
Any internally-developed systems that store, process, or transmit cardholder data must be approved by Merchant Card Services and developed according to the Payment Application Data Security Standard (PA-DSS). All code, including changes after going live, must be reviewed by individuals other than the originating code author and by individuals who are knowledgeable in code review techniques and secure coding practices. Appropriate corrections must be implemented prior to release. Code review results must be reviewed and approved by Merchant Card Services prior to release.

In addition, web applications must be developed according to Open Web Application Security Project (OWASP) guidelines.

Access control (requirement 7.1 and subrequirements)
Access to system components and cardholder data must be limited to individuals whose job requires such access. Access rights for individuals must be set to the least number of privileges to perform the required job and must be assigned based on job classification and function. Authorization forms and documented approval must be maintained for all cardholder data access. All access controls must be implemented by an automated control system.

User accounts and passwords (requirements 8.1.5, 8.5.1, 8.5.7, and 8.5.8)
All user accounts and passwords must follow addition, deletion, modification requirements set forth in the PCI DSS. Group, shared, or generic accounts and passwords are not allowed.

Accounts used by vendors to access, support, or maintain system components via remote access must be enabled only during the time period needed and disabled when not in use.

Media distribution and retention (requirements 9.6, 9.7.a, 9.7.1, 9.7.2, 9.9, 9.9.1, 9.10, and subrequirements)
Any distribution of media, including paper forms, that contains cardholder data must be strictly controlled. The media or the container must be clearly marked so it can be identified as confidential. Media sent outside of a department must be logged and tracked.

All media storage must be inventoried annually.

All media destroyed must be cross-cut shredded, incinerated, pulped, or securely deleted so that there is reasonable assurance that any hard copy materials or data on electronic media could not be reconstructed. Any media ready for disposal must remain as secure as its original storage.

Device tampering and substitution (requirement 9.9)
Merchant Card Services maintains a list of all credit card terminal devices. If a merchant purchases their own payment devices, the merchant is responsible for maintaining a proper inventory of those devices. Devices must be inspected annually for tampering or substitution. Inspection training is available via the cardholder data security training.

Log review (requirements 10.6, 10.7.a, and 10.7.b)
Logs for all system components that are in scope for PCI DSS compliance must be reviewed at least daily. All exceptions must be documented and review of those exceptions must be documented as well.

Audit logs must be retained for at least one year and a process be in place to immediately restore at least the last three months’ logs for analysis.

PCI DSS requirements (requirement 12.1)
All merchants must be PCI DSS compliant at all times. All merchants must comply with all applicable PCI DSS requirements.

Risk assessment (requirement 12.2)
The PCI DSS must be reviewed on a yearly basis for any risks that are not currently being addressed by the standard. Any unaddressed risks must have new controls proposed along with a standard risk assessment for those new controls. Applicability of any controls will be assessed across the merchant installed base and an implementation plan developed for rolling out any additional controls.

Employee-facing technology use (requirements 12.3.1 through 12.3.7)
All employee-facing technologies used within a cardholder data environment require written approval from Merchant Card Services.

Wireless, removable electronic media, laptops, and personal data/digital assistants (PDAs) are not allowed within any cardholder data environment.

Approved devices include:
  • Payment card terminals provided by Merchant Card Services
  • PCs and auxiliary peripherals specifically configured and dedicated to processing payments (see workstation standard)

All technology use must be authenticated with user ID and password or other authentication item (such as a token).

A list of all devices and the personnel authorized to use the devices must be maintained and reviewed on a yearly basis. All devices must be labeled such that they can be properly tracked to a device owner or manager and device purpose.

Approved devices must be used only on networks designed to be PCI DSS compliant and approved by Merchant Card Services.

Remote access technology (requirements 12.3.8 through 12.3.10b)  (Marc, I split this off from the preceding section in order to have smaller chunks of copy. I looked at the pci dss to find a logical break/grouping point)
Any device that utilizes remote-access technologies must employ automatic disconnect of sessions after a period of inactivity. That period must not exceed 60 minutes.

Any remote-access technology used by vendors or business partners must be activated only when needed, with immediate deactivation after use.

If remote-access technology is employed, copying, moving, or storing of any cardholder data, even temporarily, onto any local media is strictly forbidden.

Any email or internet access within a cardholder data environment requires written justification approved by Merchant Card Services and must be reviewed annually as part of the Self-Assessment Questionnaire documentation process.

Applicability (requirement 12.4)
All policies and procedures related to PCI DSS compliance apply to all System and university employees as well as contractors or volunteers working on behalf of the University of Illinois.

Responsibility for security policies and procedures (requirement 12.5.1)(Marc, for the section 12 items I did not use a table but put them into paragraphs because it's easier to read and looks better)
Merchant Card Services is responsible for establishing, documenting, and distributing PCI DSS security policies and procedures.

Responsibility for security alerts (requirement 12.5.2)
All departments that process credit card payments are responsible for monitoring and analyzing security alerts and information, and distributing them to appropriate personnel.

Responsibility for security response and escalation procedures (requirement 12.5.3)
Merchant Card Services is responsible for creating and distributing security incident response and escalation procedures.

Responsibility for user account management (requirement 12.5.4)
Any unit that operates a payment system that requires user accounts must assign and document the security individual or team responsible for the management of those user accounts.

Responsibility for access to data (requirement 12.5.5)
Any unit that operates a payment system that stores cardholder data must assign and document the security individual or team responsible for the monitoring and controlling access to the data.

Engaging service providers (requirement 12.8.3)
Before establishing service with a vendor that stores, processes, or transmits cardholder data on behalf of the University of Illinois, a department must obtain approval from Merchant Card Services to use that vendor. A vendor must be able to demonstrate that they are PCI DSS compliant.

Security breach training and incident response review (requirement 12.10)
University of Illinois employees who are responsible for security breach management must review security breach procedures on an annual basis.

The PCI DSS Incident Response Plan must be reviewed on an annual basis. The plan must be modified and improved to accommodate lessons learned and industry security developments.

Event monitoring (requirement 12.10.3)
Any unit that processes payments with a system that utilizes monitoring systems such as IDS (intrusion detection system) or file integrity monitoring must have a University staff member available on a 24/7 basis to respond to any alerts from those monitoring systems.