Scope of compliance
Due to the limited nature of the environment in the field
application, this policy is intended to meet PCI requirements
as defined in the Self-Assessment Questionnaire (SAQ) C,
worm. 2.0, October 2010 curvedblue.com , to determine
appropriate compliance criteria and implement policies
and additional checks if necessary.
Politics
Requirement 1: Build and maintain a secure network
Firewall configuration
Firewalls should restrict connections between networks not
approved and any system in the cardholder's data environment
Map. An "untrusted network" is a network external to the networks
belonging to the examined entity and / or which is not in a position to
control or manage the entity. (PCI Requirement 1.2)
Incoming and outgoing traffic should be limited to what is necessary
for the cardholder's data environment. Other
incoming and outgoing traffic should be specifically denied. (PCI requirement
1.2.1)
All open ports and services must be documented. The
documentation should include the port or service, source and
destination, and a commercial justification for opening said
port or service. (PCI Requirement 1.2.1)
Perimeter firewalls should be installed between all
wireless networks and the cardholder's data environment.
These firewalls must be configured to deny or control (if a
such traffic is necessary for commercial purposes) any traffic originating
from the wireless environment to the data environment of the
card holder. (PCI Requirement 1.2.3)
The firewall configuration must prohibit direct public access between the Internet and any component of the system in the environment of cardholder data as follows:
- Direct connections are prohibited for incoming traffic and
outgoing between the Internet and the data environment of the holder
card (PCI Requirement 1.3.3)
- Traffic leaving the cardholder's data environment card to the Internet must be explicitly authorized (PCI requirement 1.3.5)
- Firewalls must implement stateful inspection,
also known as dynamic packet filtering (requirement
PCI 1.3.6)
Requirement 2: Do not use the default values provided
by the vendor for system passwords and other settings
security
Supplier defaults
The default values provided by the provider must always be modified before installing a system on the network. Examples vendor defaults include passwords, SNMP community strings and elimination of unnecessary accounts. (PCI 2.1 requirement)
Default settings for wireless systems must be changed before implementation. Default environment settings wireless include, but are not limited to:
- Default encryption keys
- Passwords
- SNMP community strings
- Default passwords / passphrases on access points
- Other security-related wireless provider defaults, if applicable
The firmware of wireless devices must be updated to
support strong encryption for authentication and
data transmission over wireless networks. (PCI Requirement 2.1.1)
Unnecessary services and protocols
Only services, protocols, daemons, etc. necessary for
system operation can be activated. All services and
protocols that are not directly necessary to perform the
specified function of the device must be disabled. (PCI requirement
2.2.2)
Administrative access without console
Credentials for administrative access outside console must be encrypted using technologies such as SSH, VPN or SSL / TLS. Encryption technologies should include the following: (PCI Requirement 2.3)
- Must use strong cryptography and the encryption method must be invoked before the administrator password is requested
- System services and settings files must be configured to prevent the use of telnet and other commands remote login insecure
- Must include administrator access to web management interfaces
Requirement 3: Protect stored cardholder data
Data prohibited
Processes must be in place to safely remove sensitive authentication data after authorization so that the data is unrecoverable. (PCI Requirement 3.2)
Payment systems must meet the following requirements concerning the non-storage of sensitive authentication data after authorization (even encrypted):
- The complete content of the magnetic tape track data (located on the back of a card, equivalent data contained on a chip or elsewhere) is not stored in any way (PCI Requirement 3.2.1)
- The card verification code or value (number three or four digits printed on the front or back of a payment card) is not stored in any way (PCI requirement 3.2.2)
- The personal identification number (PIN) or encrypted PIN block is not stored in any way (PCI requirement 3.2.3)
PAN display
curvedblue.com
hide the display of PANs (main account numbers) and
limit the display of PANs to employees and other parties only
having a legitimate need. A correctly masked number will only display
the first six and the last four digits of the PAN. (PCI requirement
3.3)
Requirement 4: Encrypt transmission of cardholder data over open public networks
Transmission of cardholder data
Cardholder data sent over public networks open files must be protected by the use of strong cryptography or security (eg, IPSEC, SSLTLS). Only trusted keys and / or certificates can be accepted. For SSL / TLS implementations, HTTPS must appear in the URL and cardholder data can only be entered when HTTPS appears in the URL. (PCI requirement 4.1)
Industry best practices (for example, IEEE 802.11i) must be used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment. (PCI requirement 4.1.1)
Sending unencrypted PANs by messaging technologies
the end user is prohibited. Examples of technologies
end users include email, messaging
instant and chat. (PCI Requirement 4.2)
Requirement 5: Regularly use and update anti-virus software or programs
Antivirus
All systems, especially personal computers and servers commonly affected by viruses, must have installed a antivirus program capable of detecting, removing and protecting against all known types of malware. (PCI requirement 5.1, 5.1.1)
All anti-virus programs should be kept up to date with
automatic updates, be running, be configured
to run p analyzes periodical and capable of generating
audit logs. Antivirus logs should be kept
in accordance with PCI requirement 10.7. (PCI requirement 5.2)
Requirement 6: Develop and maintain secure systems and applications
Security fixes
All critical high-risk security patches should be applied within 14 days of posting. This includes the patches relevant to operating systems and all installed applications. (PCI requirement 6.1)
Requirement 7: Restrict access to cardholder data by business need to know
Limit access to cardholder data
Access to curvedblue.com cardholder system components and data is limited to those individuals whose jobs require such access . (PCI requirement 7.1)
Access restrictions must include the following:
- Access rights for privileged user identifiers should be limited to the lowest privileges necessary to perform job responsibilities (PCI Requirement 7.1.1)
- Privileges should be assigned to individuals based on
the classification and function of the post (also called
"Role-based access control" (PCI requirement 7.1.2)
Requirement 8: Assign a unique identifier to each person having access to the computer
Remote access
Two-factor authentication must be integrated for access to
remote (network level access from outside the network)
to the network by employees, administrators and third parties. (Requirement
PCI 8.3)
Accounts payable
All accounts used by suppliers for maintenance at
distance should only be activated for the required time. The
Remote access provider accounts should be monitored
when used. (PCI requirement 8.5.6)
Requirement 9: Restrict physical access to cardholder data
Physically secure all media containing cardholder data
Paper documents containing confidential information or sensitive (e.g. paper receipts, paper reports, faxes, etc.) are subject to the following storage guidelines:
- All media must be physically secure. (PCI requirement 9.6)
Strict control must be maintained over internal distribution or external of any type of medium containing data of the holder of menu. These checks should include:
- Media must be classified so that the sensitivity of the data can be determined (PCI Requirement 9.7.1)
- Media must be sent by a secure carrier or a other delivery method that can be accurately tracked (PCI requirement 9.7.2)
Logs must be kept to track all media moved from a secure area, and management approval must be obtained before moving the supports. (PCI requirement 9.8)
Strict control should be maintained over storage and
the accessibility of media containing data of the holder of
menu. (PCI requirement 9.9)
Data destruction
All media containing cardholder data must be
be destroyed when no longer needed for reasons
commercial or legal. (PCI requirement 9.10)
The paper supports must be destroyed by shredding,
incineration or pulping so that data from license holders
card cannot be replenished. The container storing
information awaiting destruction must be secured to prevent
access to content. (PCI requirement 9.10.1)
Requirement 11: Regularly test security systems and processes
Testing unauthorized wireless access points
At least once a quarter, curvedblue.com perform tests to ensure that no wireless access point unauthorized person is present in the cardholder's environment. (PCI requirement 11.1)
This test should detect and identify all unauthorized wireless access points, including at least the following:
- WLAN cards inserted in system components
- Portable wireless devices connected to system components (for example, by USB, etc.)
- Wireless devices connected to a network port or network device
If automated monitoring is used (for example, IDS / IPS wireless, NAC, etc.), it must be configured to generate alerts.
Detection of unauthorized wireless devices must be included
in the incident response plan (see PCI requirement 12.9).
Vulnerability analysis
At least quarterly and after any significant change in the network (such as new installations of components system, changes in network topology, changes in firewall rules, product upgrades), Minnesota State Community and Technical College will conduct an analysis of vulnerabilities on all affected systems. (PCI requirement 11.2)
Internal vulnerability scans should be repeated until until satisfactory results are obtained, or until all "high" vulnerabilities as defined in PCI requirement 6.2 be resolved. (PCI requirement 11.2.1, 11.2.3)
The quarterly results of the vulnerability scan should be meet the requirements of the ASV program guide (for example, no vulnerability rated greater than 4.0 by CVSS and no failure Automatique. External vulnerability scans should be carried out by an Authorized Analysis Provider (ASV), approved by the payment card. Industry Security Standards Council (PCI SSC) (PCI requirement 11.2.2, 11.2.3)
Requirement 12: Maintain a policy that addresses information security for employees and contractors
Security policy
curvedblue.com establish, publish, maintain and disseminate a policy of security that explains how the company will protect data from card holders. (PCI requirement 12.1)
This policy should be reviewed at least once a year and should
be updated as needed to reflect changes to the
business objectives or risk environment. (PCI requirement
12.1.3)
Critical technologies
curvedblue.com will establish usage policies for critical technologies (for example, remote access technologies, wireless technologies wire, removable electronic media, laptops, tablets, personal data / digital assistants (PDAs), email and internet use. (PCI requirement 12.3)
These policies must include the following:
- Explicit approval by authorized parties to use the technologies (PCI Requirement 12.3.1)
- Authentication for the use of the technology (PCI Requirement 12.3.2)
- A list of all such devices and personnel with access (PCI requirement 12.3.3)
- Acceptable uses of technology (PCI requirement 12.3.5)
- Acceptable network locations for technologies (PCI requirement 12.3.6)
- Automatic session disconnection for access technologies distance after a specific period of inactivity (PCI requirement 12.3.8)
- Activation of remote access technologies for providers
and business partners only when suppliers and
business partners need it, with immediate deactivation
after use (PCI requirement 12.3.9)
Safety responsibilities
The policies and procedures of curvedblue.com must clearly define the security responsibilities of information for all staff. (PCI requirement 12.4)
Incident response policy
The systems security administrator must establish, document
and disseminate security incident response procedures and
escalation to ensure rapid and efficient treatment of all
situations. (PCI requirement 12.5.3)
Identification of incidents
Employees should be aware of their responsibilities in detection of security incidents in order to facilitate the plan and incident response procedures. All employees have the responsibility to participate in intervention procedures in the event of incidents in their particular areas of responsibility. here is some examples of security incidents that an employee may recognize in his daily activities: µ
- Theft, damage or unauthorized access (for example, missing papers on their desk, broken locks, missing log files, alert a security guard, video evidence of a break-in or entry unplanned / unauthorized physical)
- Fraud - Inaccurate information in databases, logs, files or paper records
Report an incident
The systems security administrator should be immediately informed of any suspected or actual security incident involving cardholder data:
Contact the systems security administrator to report any suspicious or real incident. The internal audit phone number must be well known to all employees and must notify someone in outside office hours.
No one should communicate with anyone outside of his supervisor (s) or the security administrator systems about details or generalities surrounding an incident suspected or real. All communications with law enforcement or the public will be coordinated by the Executive Dean of Technology Solutions.
Document all the information you know while waiting
that the systems security administrator respond to the incident.
If known, this should include the date, time and nature of
the incident. Any information you can provide will help you
respond appropriately.
Incident response
Responses may include or go through the following steps: identification, classification of severity, containment, eradication, recovery and root cause analysis resulting in a improved security controls.
Contain, eradicate, recover and perform root cause analysis
- Notify the affected card associations.
Visa
Provide compromised Visa accounts to Visa Fraud Control Group in
ten (10) working days. For help, call
1- (650) -432-2978. Account numbers must be sent in full
security to Visa in accordance with the instructions of the
Visa fraud. It is essential that all potentially
compromises are provided. Visa will distribute Visa account numbers
compromise to issuers and will ensure the confidentiality of the entity and
non-public information. Consult the documentation " What to do
in the event of a compromise " of Visa to know the activities
additional that need to be done. This documentation is
available on
http://usa.visa.com/download/business/accepting_visa/ops_risk_managemen…
MasterCard
Contact your investment bank for more details on walking to
follow following a compromise. Details on merchant banking
(aka the acquirer) can be found in the merchant manual at
the address
http://www.mastercard.com/us/wce/PDF/12999_MERC-Entire_Manual.pdf. Your
merchant bank will help you when you call MasterCard at
1- (636) -722-4100.
Discover the map
Contact your relationship manager or call the helpline at EMAIL address for further advice.
- Alert all necessary parties. Don't forget to notify:
- an investment bank
- Local FBI office
- US Secret Service (if Visa payment data is compromised)
- d. Local authorities (if applicable)
- Perform an analysis of legal requirements to report compromises in every state where customers have been affected. The following source of information should be used: http://www.ncsl.org/programs/lis/cip/priv/breach.htm
- Collect and protect information associated with intrusion. In in the event that a forensic investigation is required, the DPI will work with the legal department and management to identify the appropriate forensic specialists.
- Eliminate the intruder's means of access and all associated vulnerabilities.
- Look for potential associated risks or damage caused by the intrusion method used .
Root cause analysis and lessons learned
No more than a week after the incident, service members
IT and all relevant parties will come together to consider
the results of any investigation to determine the root cause of
compromise and assess the effectiveness of the response plan
incidents. Review other security controls to determine
their adequacy to current risks. All areas identified in
which plan, policy or the security check can be
made more effective or efficient must be updated by
consequence.
Security awareness
curvedblue.com will establish and maintain a formal awareness program on
safety to make all staff aware of the importance of
cardholder data security. (PCI requirement 12.6)
Service providers
curvedblue.com will implement and maintain policies and procedures for managing service providers. (PCI requirement 12.8). This process should include the following:
- Maintain a list of service providers (PCI requirement 12.8.1)
- Maintain a written agreement that includes an acknowledgment that service providers are responsible for the data security of the cardholder that service providers have (requirement PCI 12.8.2)
- Implement a process to perform an audit appropriate prerequisite before hiring a service provider (PCI requirement 12.8.3)
- Monitor the PCI DSS compliance status of service providers (PCI requirement 12.8.4)
Acceptable employee use policy for processing payment card data
All systems in the payment processing environment must be protected with a username and password. unique passes. Unique user accounts indicate that each account used is associated with a user and / or a process individual without the use of generic group accounts used by more than one user or process.All default accounts supplied with systems operating systems, databases and / or devices must be deleted, deactivated or renamed as far as possible. All the accounts must meet PCI-DSS password requirements.
The PCI standard requires that passwords meet the following requirements:
Password requirements
- Passwords must be at least 7 characters long and at most 15
- Passwords must include both characters numeric and alphabetical o Passwords must be changed at less every 90 days
- New passwords cannot be the same as the 4 last passwords User accounts in the environment of card data will also be subject to the following requirements
- If an incorrect password is provided 6 times, the account must be locked o Account lockout duration must be at least 30 minutes. (or until an administrator resets it)
- Inactive sessions for more than 15 minutes should require entering the username and password to reactivate the session
Accounts within the Card Data Environment are also subject to the following requirements:
- Incorrect password lockout
- Accounts will be locked after 5 failed attempts to log into the system
- Lockout duration
- Continued invalid login attempts, the accounts will be locked out of the system for 30 minutes or until a system administrator unlocks the account
- Idle time lockout duration
- Remote desktop sessions will end after one hour of inactivity
- The session Remote Desktop Desktop Disconnected will expire one hour after disconnection.