Payment Card Industry Data Security Standard (PCI DSS)

• About the PCI Data Security Standard (to download the complete PCI DSS)
• Supporting Documents (including a glossary)

FSO-Bursar's Department Services governs and enforces PCI DSS compliance. FSO-Bursar's Department Services partners with Information Security to determine appropriate technical compliance strategies and to develop supporting materials to assist units with compliance. For assistance with credit card merchant questions, issues or concerns, please contact FSO-Bursar's Department Services at 621-5781.  Additional information is available on the website.

To determine what your unit must do to comply, review Section 8.14 of the FRS Departmental Manual and follow the suggested approach below.

1. Merchant Classification - Determine your merchant classification based on your payment method.

• Payment Methods and Validation Requirements Table
• Options available through FSO-Bursar's Departmental Services - Bank of America and CyberSource
  • Dial pay
  • Point of sale equipment
  • Virtual Terminal - Cybersource-hosted online order form into which the UA merchant enters all orders received by mail, telephone, fax or email, or at the point of sale
  • Hosted Order Page - CyberSource-hosted online order form into which customers enter payment info; linked from the merchant's web site; no shopping cart
  • Silent Order Post - Customized, UA merchant-hosted implementation of the Hosted Order Page, into which customers enter payment info

2. Scoping - Define the scope for compliance with network segmentation.

• Security Scanning Procedures

3.  Gap Analysis - Understand the technical and operational requirements and determine your needs.

• Prioritized Approach to Compliance - Tool and Instructions
• PCI Quick Reference Guide
• Navigating PCI DSS: Understanding the Intent of the Requirements 
• Questionnaires and Overview, including Instructions and Guideline
• Report on Compliance Template - SAQ A | SAQ B | SAQ C | SAQ D (full template)
• Glossary, Abbreviations and Acronyms
• Payment Application Data Security Standard
• Validated Payment Applications List
• PIN Entry Devices Standard
• Approved PIN Entry Devices List
• Handling E-Commerce Payments (OWASP)

• Firewalls at UA video
• Compliance Checker for PCI DSS v.1.2 - free tool for checking in-scope Windows servers and desktops
• CIS Benchmarks and scoring tool
• Personal Information Sweep
• Common Retention Schedules
• Sophos antivirus software
• Web Application Security Assessment Procedure - for access to web application security assessment tool
• Web application development resources, including links to OWASP materials
• Virtual Private Network (VPN) software
• CatNet Group Authentication (see second paragraph under diagram)
• WebAuth and NetID
• PhoneFactor free two-factor authentication software
• Text for Third Party Vendor Proposals/Agreements  
• Guideline for Creating Data Security Policies and Procedures (under development)
• Applicable UA Standards and Guidelines
  • Minimum Security for Networked Devices Standard
  • Minimum Security for Networked Devices Implementation Guideline
  • Server Security Standard
  • Password Construction and Management Guidelines
  • Incident Response Standard
  • Management Responsibilities for Information Security Standard
  • Application Security Standard
  • Patching Guidelines
• If Compromised - VISA website
• What to Do if Compromised - Visa Fraud Control & Investigations Procedures
• Training and Awareness Materials
  • General computer security awareness information and training
  • For the employee awareness requirement - VISA's Business Guide to Data Security
  • For the Merchant Responsible Person and IT support staff
    • 2009 Mandatory Meeting Presentation (PPT) 
    • UA Payment Card Compliance Training
      • Background (PPT) (Flash)
      • Compliance Roadmap:  Intro and Step 1 for all SAQs (PPT) (Flash)
      • Compliance Roadmap: Steps 2-7 - SAQ A (PPT) (Flash) | SAQ B (PPT) (Flash) | SAQ C (PPT) (Flash) | SAQ D (PPT) (Flash)
      • Wrap-Up (PPT) (Flash)

5. SAQ/QSA Validation - Fill out the Self-Assessment Questionnaire (for self-assessment) or Report on Compliance Template (for onsite assessment by a Qualified Security Assessor). 

• Questionnaires
• Questionnaires Overview, including  Instructions and Guideline
• Report on Compliance Template - SAQ A | SAQ B | SAQ C | SAQ D (full template)

6.  Scan Validation - Obtain a vulnerability scan, if required (see step 1).

• Security Scanning Procedures
• SecurityMetrics (UA's Approved Scanning Vendor) - enroll for quarterly scan
• Critical Device Scanning Procedure - for access to UA's network vulnerability scanning tool

7.  Stay Compliant - Sustain compliance as rules and systems change.

• Compliance Timeline - SAQ A | SAQ B | SAQ C | SAQ D (partial)

REPORT a payment card security problem. Please reference your department name and related details to ensure proper escalation. 

PCI DSS Principles

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security

Source: PCI Security Standards Council