Scope of compliance

Due to the limited nature of the environment in the fieldapplication, this policy is intended to meet PCI requirements as defined in the Self-Assessment Questionnaire (SAQ) C,worm. 2.0, October 2010 curvedblue.com , to determineappropriate compliance criteria and implement policiesand additional checks if necessary.

Politics

Requirement 1: Build and maintain a secure network

Firewall configuration

 

Firewalls should restrict connections between networks not approved and any system in the cardholder's data environmentMap. An "untrusted network" is a network external to the networksbelonging to the examined entity and / or which is not in a position tocontrol or manage the entity. (PCI Requirement 1.2)

Incoming and outgoing traffic should be limited to what is necessary for the cardholder's data environment. Otherincoming and outgoing traffic should be specifically denied. (PCI requirement 1.2.1)

All open ports and services must be documented. Thedocumentation should include the port or service, source anddestination, and a commercial justification for opening saidport or service. (PCI Requirement 1.2.1)

Perimeter firewalls should be installed between allwireless networks and the cardholder's data environment.These firewalls must be configured to deny or control (if asuch traffic is necessary for commercial purposes) any traffic originating from the wireless environment to the data environment of thecard holder. (PCI Requirement 1.2.3)

The firewall configuration must prohibit direct public accessbetween the Internet and any component of the system in the environment ofcardholder data as follows:

• Direct connections are prohibited for incoming traffic andoutgoing between the Internet and the data environment of the holdercard (PCI Requirement 1.3.3)
  
  
• Traffic leaving the cardholder's data environmentcard to the Internet must be explicitly authorized (PCI requirement1.3.5)
• Firewalls must implement stateful inspection,also known as dynamic packet filtering (requirementPCI 1.3.6)
  
  
  

Requirement 2: Do not use the default values ​​provided by the vendor for system passwords and other settingssecurity

Supplier defaults

The default values ​​provided by the provider must alwaysbe modified before installing a system on the network. Examplesvendor defaults include passwords,SNMP community strings and elimination of unnecessary accounts.(PCI 2.1 requirement)

Default settings for wireless systems must be changed before implementation. Default environment settingswireless include, but are not limited to:

• Default encryption keys
• Passwords
• SNMP community strings
• Default passwords / passphrases on access points
• Other security-related wireless provider defaults, if applicable

The firmware of wireless devices must be updated tosupport strong encryption for authentication anddata transmission over wireless networks. (PCI Requirement 2.1.1)

Unnecessary services and protocols

Only services, protocols, daemons, etc. necessary forsystem operation can be activated. All services andprotocols that are not directly necessary to perform thespecified function of the device must be disabled. (PCI requirement2.2.2)

Administrative access without console

Credentials for administrative access outsideconsole must be encrypted using technologies such as SSH,VPN or SSL / TLS. Encryption technologies should include thefollowing: (PCI Requirement 2.3)

• Must use strong cryptography and the encryption method must be invoked before the administrator password isrequested
• System services and settings files must beconfigured to prevent the use of telnet and other commandsremote login insecure
• Must include administrator access to web management interfaces

Requirement 3: Protect stored cardholder data

Data prohibited

Processes must be in place to safely removesensitive authentication data after authorization so thatthe data is unrecoverable. (PCI Requirement 3.2)

  Payment systems must meet the following requirementsconcerning the non-storage of sensitive authentication dataafter authorization (even encrypted):

• The complete content of the magnetic tape track data(located on the back of a card, equivalent data contained on a chipor elsewhere) is not stored in any way (PCI Requirement 3.2.1)
• The card verification code or value (number three orfour digits printed on the front or back of a payment card)is not stored in any way (PCI requirement 3.2.2)
• The personal identification number (PIN) or encrypted PIN block is not stored in any way (PCI requirement 3.2.3)
  
  
  

PAN display

curvedblue.com hide the display of PANs (main account numbers) andlimit the display of PANs to employees and other parties onlyhaving a legitimate need. A correctly masked number will only displaythe first six and the last four digits of the PAN. (PCI requirement3.3)

Requirement 4: Encrypt transmission of cardholder data over open public networks

Transmission of cardholder data

Cardholder data sent over public networksopen files must be protected by the use ofstrong cryptography or security (eg, IPSEC, SSLTLS).Only trusted keys and / or certificates can be accepted.For SSL / TLS implementations, HTTPS must appear in the URL andcardholder data can only be entered whenHTTPS appears in the URL. (PCI requirement 4.1)

Industry best practices (for example, IEEE 802.11i)must be used to implement strong encryption forauthentication and transmission for wireless networkstransmitting cardholder data or connected tothe cardholder data environment. (PCI requirement 4.1.1)

Sending unencrypted PANs by messaging technologiesthe end user is prohibited. Examples of technologiesend users include email, messaginginstant and chat. (PCI Requirement 4.2)

Requirement 5: Regularly use and update anti-virus software or programs

Antivirus

All systems, especially personal computers andservers commonly affected by viruses, must have installed aantivirus program capable of detecting, removing and protecting againstall known types of malware. (PCI requirement 5.1,5.1.1)

  All anti-virus programs should be kept up to date withautomatic updates, be running, be configuredto run p analyzes periodical and capable of generatingaudit logs. Antivirus logs should be keptin accordance with PCI requirement 10.7. (PCI requirement 5.2)

Requirement 6: Develop and maintain secure systems and applications

Security fixes

  All critical high-risk security patches should be applied within 14 days of posting. This includes thepatches relevant to operating systems and allinstalled applications. (PCI requirement 6.1)

Requirement 7: Restrict access to cardholder data by business need to know

Limit access to cardholder data

Access to curvedblue.com cardholder system components and data is limited to those individuals whose jobs require such access . (PCI requirement 7.1)

Access restrictions must include the following:

• Access rights for privileged user identifiersshould be limited to the lowest privileges necessary toperform job responsibilities (PCI Requirement 7.1.1)
• Privileges should be assigned to individuals based onthe classification and function of the post (also called"Role-based access control" (PCI requirement 7.1.2)
  
  
  

Requirement 8: Assign a unique identifier to each person having access to the computer

Remote access

Two-factor authentication must be integrated for access toremote (network level access from outside the network)to the network by employees, administrators and third parties. (RequirementPCI 8.3)

Accounts payable

All accounts used by suppliers for maintenance atdistance should only be activated for the required time. TheRemote access provider accounts should be monitoredwhen used. (PCI requirement 8.5.6)

Requirement 9: Restrict physical access to cardholder data

Physically secure all media containing cardholder data

Paper documents containing confidential information orsensitive (e.g. paper receipts, paper reports, faxes, etc.) are subject to the following storage guidelines:

• All media must be physically secure. (PCI requirement 9.6)

Strict control must be maintained over internal distribution orexternal of any type of medium containing data of the holder ofmenu. These checks should include:

• Media must be classified so that the sensitivity of the data can be determined (PCI Requirement 9.7.1)
• Media must be sent by a secure carrier or a other delivery method that can be accurately tracked (PCI requirement 9.7.2)

Logs must be kept to track all mediamoved from a secure area, and management approvalmust be obtained before moving the supports. (PCI requirement 9.8)

Strict control should be maintained over storage andthe accessibility of media containing data of the holder ofmenu. (PCI requirement 9.9)

Data destruction

All media containing cardholder data must be be destroyed when no longer needed for reasonscommercial or legal. (PCI requirement 9.10)

The paper supports must be destroyed by shredding,incineration or pulping so that data from license holders card cannot be replenished. The container storinginformation awaiting destruction must be secured to preventaccess to content. (PCI requirement 9.10.1)

Requirement 11: Regularly test security systems and processes

Testing unauthorized wireless access points

At least once a quarter, curvedblue.com perform tests to ensure that no wireless access pointunauthorized person is present in the cardholder's environment.(PCI requirement 11.1)

This test should detect and identify all unauthorized wireless access points, including at least the following:

• WLAN cards inserted in system components
• Portable wireless devices connected to system components (for example, by USB, etc.)
• Wireless devices connected to a network port or network device

If automated monitoring is used (for example, IDS / IPSwireless, NAC, etc.), it must be configured to generatealerts.

Detection of unauthorized wireless devices must be includedin the incident response plan (see PCI requirement 12.9).

Vulnerability analysis

At least quarterly and after any significant changein the network (such as new installations of componentssystem, changes in network topology, changes infirewall rules, product upgrades), Minnesota State Community and Technical College will conduct an analysis ofvulnerabilities on all affected systems. (PCI requirement 11.2)

Internal vulnerability scans should be repeated untiluntil satisfactory results are obtained, or untilall "high" vulnerabilities as defined inPCI requirement 6.2 be resolved. (PCI requirement 11.2.1, 11.2.3)

  The quarterly results of the vulnerability scan should bemeet the requirements of the ASV program guide (for example, novulnerability rated greater than 4.0 by CVSS and no failureAutomatique. External vulnerability scans should becarried out by an Authorized Analysis Provider (ASV), approved by thepayment card. Industry Security Standards Council (PCISSC) (PCI requirement 11.2.2, 11.2.3)

  Requirement 12: Maintain a policy that addresses information security for employees and contractors

Security policy

curvedblue.com establish, publish, maintain and disseminate a policy ofsecurity that explains how the company will protect data fromcard holders. (PCI requirement 12.1)

This policy should be reviewed at least once a year and shouldbe updated as needed to reflect changes to thebusiness objectives or risk environment. (PCI requirement12.1.3)

Critical technologies

curvedblue.com will establish usage policies for critical technologies(for example, remote access technologies, wireless technologies wire, removable electronic media, laptops,tablets, personal data / digital assistants (PDAs),email and internet use. (PCI requirement 12.3)

These policies must include the following:

• Explicit approval by authorized parties to use the technologies (PCI Requirement 12.3.1)
• Authentication for the use of the technology (PCI Requirement 12.3.2)
• A list of all such devices and personnel with access (PCI requirement 12.3.3)
• Acceptable uses of technology (PCI requirement 12.3.5)
• Acceptable network locations for technologies (PCI requirement 12.3.6)
• Automatic session disconnection for access technologies distance after a specific period of inactivity (PCI requirement12.3.8)
• Activation of remote access technologies for providers and business partners only when suppliers andbusiness partners need it, with immediate deactivationafter use (PCI requirement 12.3.9)
  
  
  

Safety responsibilities

The policies and procedures of curvedblue.com must clearly define the security responsibilities of information for all staff. (PCI requirement 12.4)

Incident response policy

The systems security administrator must establish, document and disseminate security incident response procedures andescalation to ensure rapid and efficient treatment of allsituations. (PCI requirement 12.5.3)

Identification of incidents

Employees should be aware of their responsibilities in detection of security incidents in order to facilitate the plan andincident response procedures. All employees have theresponsibility to participate in intervention procedures in the event ofincidents in their particular areas of responsibility. here issome examples of security incidents that an employee may recognize in his daily activities: µ

• Theft, damage or unauthorized access (for example, missing paperson their desk, broken locks, missing log files, alerta security guard, video evidence of a break-in or entryunplanned / unauthorized physical)
• Fraud - Inaccurate information in databases, logs, files or paper records

Report an incident

The systems security administrator should be immediatelyinformed of any suspected or actual security incident involvingcardholder data:

Contact the systems security administrator to reportany suspicious or real incident. The internal audit phone number must be well known to all employees and must notify someone inoutside office hours.

No one should communicate with anyone outside ofhis supervisor (s) or the security administratorsystems about details or generalities surrounding an incidentsuspected or real. All communications with law enforcementor the public will be coordinated by the Executive Dean of TechnologySolutions.

Document all the information you know while waitingthat the systems security administrator respond to the incident.If known, this should include the date, time and nature ofthe incident. Any information you can provide will help yourespond appropriately.

Incident response

Responses may include or go through the following steps:identification, classification of severity, containment, eradication,recovery and root cause analysis resulting in aimproved security controls.

Contain, eradicate, recover and perform root cause analysis

1. Notify the affected card associations.
   
   
   

Visa

Provide compromised Visa accounts to Visa Fraud Control Group inten (10) working days. For help, call1- (650) -432-2978. Account numbers must be sent in fullsecurity to Visa in accordance with the instructions of theVisa fraud. It is essential that all potentiallycompromises are provided. Visa will distribute Visa account numberscompromise to issuers and will ensure the confidentiality of the entity andnon-public information. Consult the documentation "  What to doin the event of a compromise " of Visa to know the activitiesadditional that need to be done. This documentation isavailable onhttp://usa.visa.com/download/business/accepting_visa/ops_risk_managemen…

MasterCard

Contact your investment bank for more details on walking to follow following a compromise. Details on merchant banking(aka the acquirer) can be found in the merchant manual atthe addresshttp://www.mastercard.com/us/wce/PDF/12999_MERC-Entire_Manual.pdf. Your merchant bank will help you when you call MasterCard at1- (636) -722-4100.

Discover the map

Contact your relationship manager or call the helpline at EMAIL address for further advice.

2. Alert all necessary parties. Don't forget to notify:

• an investment bank

1. Local FBI office
2. US Secret Service (if Visa payment data is compromised)

• d. Local authorities (if applicable)

3. Perform an analysis of legal requirements to reportcompromises in every state where customers have been affected. Thefollowing source of information should be used:http://www.ncsl.org/programs/lis/cip/priv/breach.htm
4. Collect and protect information associated with intrusion. In in the event that a forensic investigation is required, the DPI will workwith the legal department and management to identify theappropriate forensic specialists.

5. Eliminate the intruder's means of access and all associated vulnerabilities.
6. Look for potential associated risks or damage caused by the intrusion method used .
   
   
   

Root cause analysis and lessons learned

No more than a week after the incident, service membersIT and all relevant parties will come together to consider the results of any investigation to determine the root cause ofcompromise and assess the effectiveness of the response planincidents. Review other security controls to determinetheir adequacy to current risks. All areas identified inwhich plan, policy or the security check can bemade more effective or efficient must be updated byconsequence.

Security awareness

curvedblue.com   will establish and maintain a formal awareness program on safety to make all staff aware of the importance ofcardholder data security. (PCI requirement 12.6)

Service providers

curvedblue.com will implement and maintainpolicies and procedures for managing service providers.(PCI requirement 12.8). This process should include the following:

• Maintain a list of service providers (PCI requirement 12.8.1)
• Maintain a written agreement that includes an acknowledgment thatservice providers are responsible for the data security of the cardholder that service providers have (requirement PCI 12.8.2)
• Implement a process to perform an auditappropriate prerequisite before hiring a service provider(PCI requirement 12.8.3)
• Monitor the PCI DSS compliance status of service providers (PCI requirement 12.8.4)
  
  
  

Acceptable employee use policy for processing payment card data

All systems in the payment processing environmentmust be protected with a username and password.unique passes. Unique user accounts indicate that eachaccount used is associated with a user and / or a processindividual without the use of generic group accounts used by more than one user or process.

  All default accounts supplied with systemsoperating systems, databases and / or devices must bedeleted, deactivated or renamed as far as possible. All theaccounts must meet PCI-DSS password requirements.

  The PCI standard requires that passwords meet the following requirements:

  Password requirements

• Passwords must be at least 7 characters long and at most 15
• Passwords must include both charactersnumeric and alphabetical o Passwords must be changed at less every 90 days
• New passwords cannot be the same as the 4last passwords User accounts in the environment of card data will also be subject to the following requirements
• If an incorrect password is provided 6 times, the account must belocked o Account lockout duration must be at least 30minutes. (or until an administrator resets it)
• Inactive sessions for more than 15 minutes should requireentering the username and password to reactivate thesession

Accounts within the Card Data Environment are also subject to the following requirements:

• Incorrect password lockout
• Accounts will be locked after 5 failed attempts to log into the system
• Lockout duration
• Continued invalid login attempts, the accounts will belocked out of the system for 30 minutes or until asystem administrator unlocks the account
• Idle time lockout duration
• Remote desktop sessions will end after one hour of inactivity
• The session Remote Desktop Desktop Disconnected will expire one hour after disconnection.
  
  
  

Remote access

All employees, directors or suppliers authorized toremote access to the card data environment must beconfigured with two-factor authentication. Third party accountswill only be active when access is required for the service provided, andwill be audited by the system during connection. Remote access tothird party must be deactivated immediately after