Date : June 29, 2005
The Payment Card Industry (PCI) has created requirements for protecting payment card information, including information in computers which process and store credit card and other payment card information. These requirements become effective June 30, 2005 and the University must adhere to these standards to limit its liability and continue to process payments using payment cards.
All computers and electronic devices at the University of Missouri - St. Louis (UMSL) involved in processing, storing, or transmitting payment card data are impacted by the PCI Data Security Standard.
This document refers only to ecommerce sites being hosted by an UMSL department or Information Technology Services (ITS), not the entire UMSL network.
The University of Missouri-St. Louis (UMSL) campus network provides access to the campus computing facilities and the Internet. All users of the UMSL network must conform to the University of Missouri-St. Louis Acceptable Use Policy (http://www.umsl.edu/technology/policy/acceptable.html) and the University of Missouri -St. Louis Network Policy (http://www.umsl.edu/technology/policy/network.html).
If a department hosts an ecommerce site, there are additional policies that must be followed. Violation of any of the following policies may result in immediate disconnection from the network, administrative sanction, and/or legal action.
Any department wishing to install or to continue use of ecommerce capabilities must inform Information Technology Services of their intentions by calling the Technology Support Center (516-6034) or emailing the Computer Security and Incident Response Team (CSIRT) at email@example.com. In no case is credit card information to be processed, stored, or transmitted on an UMSL computer without explicit prior approval from the CSIRT.
Requirement 1: Install and maintain a firewall configuration to protect data
- All router, switch, and firewall configurations must be secured and conform to the security standards as outlined in the Information Technology Services Network Device Policy.
- Wireless technology must not be used to access the network in any ecommerce environment.
- All changes to the firewall must be authorized by the CSIRT and logged by a firewall administrator.
- The firewall must limit ecommerce traffic to that which is required to conduct business.
- Egress and ingress filters must be installed on the border router to prevent impersonation with spoofed IP addresses.
- If payment card account information has to be stored in a database, it must be located on a secure internal network with no connections to it originating from outside UMSL.
- Web servers located on a publicly reachable network segment must be separated from the internal network by the firewall.
- The secure internal networks must use network address translation (NAT) to hide IP addresses.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Vendor default security settings, services, protocols, accounts, and passwords must be removed, disabled or changed if they are unnecessary on systems before taking them into production.
- Secure, encrypted communications must be used for remote administration of ecommerce systems and applications.
Requirement 3: Protect stored data
- In general, storage of sensitive cardholder data should be minimized. The business value for storing cardholder data must outweigh the risks inherent in storing the data. The value must be demonstrated and documented.
- Sensitive cardholder data must be securely disposed of when no longer needed.
- It is prohibited to store the full contents of any track from the magnetic stripe (on the back of the card, in a chip, etc.) in the database, log files, or point-of-sale products.
- It is prohibited to store the card-validation code (three-digit value printed on the signature panel of a card) in the database, log files, or point-of-sale products.
- All but the last four digits of the account number must be masked when displaying cardholder data to any customer or user other than an administrator who has access to that information.
- Account numbers (in databases, logs, files, backup media, etc.) must be stored securely, for example, by means of encryption (128-bit minimum) or truncation.
- Account numbers must be deleted or modified so that it is useless for attacks before being logged in the audit log.
Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks.
- Transmission of sensitive cardholder data must be encrypted over public networks using SSL version 3.0 with 128-bit or higher encryption.
- The transmission of payment card account numbers via e-mail is prohibited.
Requirement 5: Use and regularly update anti-virus software
- A virus scanner must be installed and updated regularly on all relevant servers and workstations.
Requirement 6: Develop and maintain secure systems and applications
- Development, testing, and production systems must be updated with the latest security-related patches released by the vendors.
- The software and application development process must be based on an industry best practice and information security must be included throughout the software development life cycle (SDLC) process.
- If production data is used for testing and development purposes, sensitive cardholder data must be sanitized before usage.
- All changes to the production environment and applications must be formally authorized, planned, and logged before being implemented.
- The guidelines commonly accepted by the security community [such as Open Web Application Security Project group (http://www.owasp.org)] must be taken into account in the development of Web applications.
- The application must be designed to prevent malicious users from trying to determine existing user accounts.
- Sensitive cardholder data should not be stored in cookies. If this data has to be stored in cookies, then it must be encrypted.
- Controls must be implemented on the server side to prevent SQL injection and other bypassing of client side-input controls.
Requirement 7: Restrict access to data by business need-to-know
- Access to payment card account numbers is restricted to only those users who have a need to know.
Requirement 8: Assign a unique ID to each person with computer access
- Each non-consumer user with ecommerce access is required to authenticate using a unique username and password, not a generic account.
- Employees, administrators, or third parties who need to access the ecommerce network remotely must connect with the UMSL VPN.
- When an employee leaves UMSL, that employee's user accounts and passwords must be revoked immediately.
- All user accounts must be reviewed on a regular basis to ensure that malicious, out-of-date, or unknown accounts do not exist.
- Non-consumer accounts that are inactive for a lengthy period must be automatically disabled.
- Accounts used by vendors for remote maintenance must be enabled only during the time needed.
- Group, shared, or generic accounts and passwords are prohibited for non-consumer users.
- Non-consumer users are required to change their password on a regular basis to a new password.
- Users must choose a strong password which includes at least eight characters, upper and lower case, and non-alphabetic characters.
- There must be an account-lockout mechanism that blocks a malicious user from obtaining access to an account by multiple password retries or brute force.
Requirement 9: Restrict physical access to cardholder data
- In general, storage of sensitive cardholder data should be minimized
- All UMSL ecommerce servers must be located in the ITS data center for maximum physical security, unless a secure alternative location is provided and the CSIRT approves it. A secure alternative location is defined to be one which complies with PCI guidelines.
- Equipment and media containing cardholder data must be physically protected against unauthorized access.
- All cardholder data printed on paper or received by fax must be protected against unauthorized access.
- Procedures must be in place to handle secure distribution and disposal of backup media and other media containing sensitive cardholder data.
- All media devices that store cardholder data must be properly inventoried and securely stored.
- Cardholder data must be deleted or destroyed before it is physically disposed (for example, by shredding papers or degaussing backup media).
Requirement 10: Track and monitor all access to network resources and cardholder data
- All access to cardholder data, including root/administration access must be logged.
- Access control logs must contain successful and unsuccessful login attempts and access to audit logs.
- All critical system clocks and times must be synchronized, and logs must include a date and time stamp.
- The firewall, router, and authentication server logs must be regularly reviewed for unauthorized traffic.
- Audit logs must be regularly backed up, secured, and retained for at least one-year offline for all critical systems.
Requirement 11: Regularly test security systems and processes
- A vulnerability scan or penetration test must be performed on all Internet-facing applications and systems before they go into production.
- An intrusion detection system (IDS) must be used on the ecommerce networks.
- Security alerts from the IDS must be continuously monitored, and the latest IDS signatures must be installed.
Requirement 12: Maintain a policy that addresses information security
- Information security policies, including policies for access control, application and system development, operational, network and physical security, must be formally documented.
- Information security policies and other relevant security information must be disseminated to all system users (including vendors, contractors, and business partners).
- Information security policies must be reviewed at least once a year and updated as needed.
- The roles and responsibilities for information security must be clearly defined.
- There must be an up-to-date information security awareness and training program in place for all system users.
- Employees are required to sign an agreement verifying they have read and understood the security policies and procedures.
- A background investigation (such as a credit- and criminal-record check, within the limits of local law) should be performed on all employees with access to account numbers.
- All third parties with access to sensitive cardholder data must be contractually obligated to comply with card association security standards.
- A security incident response plan must be formally documented and disseminated to the appropriate responsible parties.
- Security incidents must be reported to the CSIRT by calling the Technology Support Center (516-6034) or emailing firstname.lastname@example.org.
- There must be an incident response team ready to be deployed in case of a cardholder data compromise.
Glossary (from the PCI Self Assessment Questionnaire):
Access control: Measures that limit access to information or information processing resources to those authorized persons or applications.
Account harvesting: A method to determine existing user accounts based on trial and error. Giving too much information in an error message can disclose information that makes it easier for an attacker to penetrate or compromise the system.
Account number: The payment card number (credit or debit) that identifies the issuer and the particular cardholder account.
Acquirer: A bankcard association member that initiates and maintains relationships with merchants that accept Visa or MasterCard cards.
Asset: Information or information processing resources of an organization.
Audit Log: A chronological record of system activities that is sufficient to enable the reconstruction, reviewing, and examination of the sequence of environments and activities surrounding or leading to an operation, a procedure, or an event in a transaction from its inception to final results. Sometimes specifically referred to as a security audit trail.
Authentication: The process of verifying identity of a subject or process.
Authorization: The granting of access or other rights to a user, program, or process.
Backup: A duplicate copy of data made for archiving purposes or for protecting against damage or loss.
Card-validation code: The three-digit value printed on the signature panel of a payment card used to verify card-not-present transactions. On a MasterCard payment card this is called CVC2. On a Visa payment card this is called CVV2.
Cardholder: The customer to whom a card has been issued or the individual authorized to use the card.
Cardholder data: All personally identifiable data about the cardholder and relationship to the Member (i.e., account number, expiration date, data provided by the Member, other electronic data gathered by the merchant/agent, and so on). This term also accounts for other personal insights gathered about the cardholder (i.e., addresses, telephone numbers, and so on).
Compromise: An intrusion into a computer system where unauthorized disclosure, modification, or destruction of cardholder data may have occurred.
Console: A screen and keyboard which allows access and control of the server / mainframe in a networked environment.
Consumer: Individual purchasing goods and /or services.
Cookies: A string of data exchanged between a web server and a web browser to maintain a session. Cookies may contain user preferences and personal information.
Database: A structured format for organizing and maintaining information that can be easily retrieved. A simple example of a database is a table or a spreadsheet.
DBA: Doing Business As. Compliance validation levels are based on the transaction volume of a DBA or chain of stores (not of a corporate that owns several chains).
Default accounts: A system login account that has been predefined in a manufactured system to permit initial access when the system is first put into service.
Default password: The password on system administration or service accounts when a system is shipped from the manufacturer, usually associated with the default account. Default accounts and passwords are published and well known.
Dual Control: A method of preserving the integrity of a process by requiring that several individuals independently take some action before certain transactions are completed.
DMZ: De-militarized zone. A network added between a private network and a public network in order to provide an additional layer of security.
Egress: Traffic leaving the network.
Encryption: The process of converting information into a form unintelligible to anyone except holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process (the inverse of encryption), against unauthorized disclosure.
Firewall: Hardware and/or software that protect the resources of one network from users from other networks. Typically, an enterprise with an intranet that allows its workers access to the wider Internet must have a firewall to prevent outsiders from accessing its own private data resources.
Host: The main hardware on which software is resident.
Information Security: Protection of information for confidentiality, integrity and availability.
Ingress: Traffic entering the network.
Intrusion detection system: An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system.
IP address: An IP address is a numeric code that uniquely identifies a particular computer on the Internet.
IP Spoofing: A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host.
ISO 8583: An established standard for communication between financial systems.
Key: In cryptography, a key is a value applied using an algorithm to unencrypted text to produce encrypted text. The length of the key generally determines how difficult it will be to decrypt the text in a given message.
Magnetic Stripe Data (Track Data): Data encoded in the magnetic stripe used for authorization during a card present transaction. Entities may not retain full magnetic stripe data subsequent to transaction authorization. Specifically, subsequent to authorization, service codes, discretionary data/CVV, and Visa reserved values must be purged; however, account number, expiration date, and name may be extracted and retained.
Monitoring: A view of activity on a network.
Network: A network is two or more computers connected to each other so they can share resources.
Network Address Translation (NAT): The translation of an Internet Protocol address (IP address) used within one network to a different IP address known within another network.
Non-consumer users: Any user, excluding consumer customers, that accesses systems, including but not limited to, employees, administrators, and third parties.
Password: A string of characters that serve as an authenticator of the user.
Patch: A quick-repair job for a piece of programming. During a software product's beta test distribution or try-out period and later after the product is formally released, problems will almost invariably be found. A patch is the immediate solution that is provided to users.
Penetration: The successful act of bypassing the security mechanisms of a system.
Penetration Test: The security-oriented probing of a computer system or network to seek out vulnerabilities that an attacker could exploit. The testing involves an attempt to penetrate the system so the tester can report on the vulnerabilities and suggest steps to improve security.
Policy: Organizational-level rules governing acceptable use of computing resources, security practices, and guiding development of operational procedures.
Procedure: A procedure provides the descriptive narrative on the policy to which it applies. It is the "how to" of the policy. A procedure tells the organization how a policy is to be carried out.
Protocol: An agreed-upon method of communication used within networks. A specification that describes the rules and procedures products should follow to perform activities on a network.
Risk Analysis: Also known as risk assessment, a process that systematically identifies valuable system resources and threats to those resources, quantifies loss exposures (i.e., loss potential) based on estimated frequencies and costs of occurrence, and (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure.
Router: A router is a piece of hardware or software that connects two or more networks. A router functions as a sorter and interpreter as it looks at addresses and passes bits of information to their proper destinations. Software routers are sometimes referred to as gateways.
Sanitization: To delete sensitive data from a file, a device, or a system; or modify data so that data is useless for attacks.
Security Officer: The person who takes primary responsibility for the security related affairs of the organization.
Security policy: The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information.
Sensitive cardholder data: Data whose unauthorized disclosure may be used in fraudulent transaction. It includes, the account number, magnetic stripe data, CVC2/CVV2 and expiration date.
Separation of duties: The practice of dividing the steps in a system function among different individuals, so as to keep a single individual from subverting the process.
Server: A computer that acts as a provider of some service to other computers, such as processing communications, file storage, or printing facility.
SQL injection: A form of attack on a database-driven Web site in which the attacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet. SQL injection attacks are used to steal information from a database from which the data would normally not be available and/or to gain access to an organization's host computers through the computer that is hosting the database.
SSL: An established industry standard that encrypts the channel between a web browser and Web server to ensure the privacy and reliability of data transmitted over this channel.
System Perimeter Scan: An automated tool that remotely checks a merchant's or service provider's systems for vulnerabilities. This non-intrusive test involves probing external-facing systems based on the external-facing Internet protocol (IP) addresses and reporting on the services available to the external network (i.e. services available to the Internet). Scans identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company's private network.
Tamper-resistance: A system is said to be tamper-resistant if it is difficult to modify or subvert, even for an assailant who has physical access to the system.
Threat: A condition that may cause information or information processing resources to be intentionally or accidentally lost, modified, exposed, made inaccessible, or otherwise affected to the detriment of the organization.
Token: A device that performs dynamic authentication.
Transaction data: Data related to an electronic payment.
Truncation: The practice of removing a data segment. Commonly, when account numbers are truncated, the first 12 digits are deleted, leaving only the last 4 digits.
Two-factor authentication: Authentication that requires users to produce two credentials - something they have (e.g., smartcards or hardware tokens), and something they know (e.g., a password). In order to access a system, users must produce both factors.
UserID: A character string that is used to uniquely identify each user of a system.
Virus: A program or a string of code that can replicate itself and cause the modification or destruction of software or data.
Vulnerability: A weakness in system security procedures, system design, implementation, or internal controls that could be exploited to violate system security policy.
Vulnerability Scan: An automated tool that checks a merchant or service provider's systems for vulnerabilities. Scans identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company's private network.