Payment Card Industry Policy - Northern Michigan University

Beginning September 2023, each person with access to payment card data, applications, or systems, or who is the PCI Steward for their department, is required to, at a minimum, take PCI training at the point of hire and annually. This action is required for NMU to assert compliance to our bank and the card brands.

These procedures are under review in order to address updated PCI Self-Assessment requirements:
 
Supporting External Document:  PCI Security Standards Council Self-Assessment Questionnaire Version D1.2

Note:  The Payment Card Industry defines several areas for which written policies must be in place before PCI compliance can be achieved.  Some of these areas overlap longstanding information technology standards.  As such, some policies necessary for PCI compliance are already in place.   These university policies are referenced within these Payment Card Standards.
 

Responsibilities

I.T. Hosted PCI Technology:  An annual security risk review is conducted each year by the Information Technology/Information Services department.  This review incorporates an Access Control List (ACL) review for all centralized technology for the university.  In addition to the ACL review of I.T. Hosted PCI Technology servers, the PCI Self-Assessment Questionnaire is completed at this time for all I.T. hosted PCI technology. 

Department Hosted PCI Technology:  When departments choose to host PCI technology, then the full compliance responsibility as defined by PCI standards lies with the host department.  These responsibilities include written documentation to support appropriate security, system access, retention and disposal of data, regular updating of antivirus software, patch and new release requirements, use of cardholder media, security logs, system scanning, acceptable use, connections to other systems, incident response plan, policy, and annual risk assessment (completion of the appropriate PCI Self-Assessment Questionnaire) .  

When a department hosts part of the technology, such as when I.T. hosts the server but the department is responsible for the software updates and access, I.T. will work with the department to define the sections of the PCI standards that are the responsibility of the department.  Non-compliance with PCI standards will necessitate immediate cessation of accepting payment cards in the department. 

Vendor Hosted PCI Technology:  When the PCI technology resides off campus, the contract for use must still provide for PCI compliance.  In addition to the Risk Manager’s review of the contract, the Information Technology/Information Services department will also provide technical assistance to ensure that the contract assigns accountability for PCI compliance.  If a contract is already in place, I.T. will assist in the decision to terminate the contract if PCI compliance cannot be assured; in some cases, alternate procedures can be developed to bring a vendor package into compliance for the University. 

Vendor Software:  As of July 2010, all software used to process or store cardholder data must be PCI compliant.  In addition, both the vendor and the gateway provider (if applicable) must be listed as PCI compliant on the most recent http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf website.  The NMU host (I.T. or department) is responsible for verification of vendor software and gateway compliance status.  For vendor hosted I.T. technology, the department contracting for service will verify compliance.  In addition, any proposed new or renewed contracts for PCI technology must be reviewed by both Risk Management and the Information Technology/Information Services department to ensure that PCI compliance responsibilities are properly defined. 

Requirement Checklist

In order to ensure PCI compliance, I.T. will complete the full PCI security standards Internal Control Questionnaire annually.  Departments hosting I.T. technology will use this checklist to survey for compliance issues.  Each item listed below must be checked “yes”.  Mitigation processes may be possible if “no” is the accurate answer.  Refer to the Information Technology/Information Services department for help with “no” answers.   The requirement numbering corresponds to PCI security standards self-assessment questionnaire numbering.  Further details about the requirements can be found on the Official PCI security standards council website at https://www.pcisecuritystandards.org/

  Yes or seek guidance from (I.T. department)

1.  Network is Secure:   PCI servers and software are supported by a current network diagram that shows all connections to cardholder data, including the physical location of the server, the network connections to trusted and untrusted networks, use of routers, specific firewall, location inside or outside the demilitarized zone (DMZ), and any other relevant security controls (such as VPN or network security or IP address restrictions).  Vendor access, for example, use of open ports or PC Anywhere, is described on the network diagram.  Port access is restricted to that which is necessary to process payment cards.  These network documents are reviewed and approved by the Information Technology/Information Services department annually as part of the PCI Self-Assessment.

2.  Vendor Defaults have been Changed:   Vendor-supplied default passwords, including those for wireless technology, are changed on all PCI systems.  In the event that a vendor user ID is necessary for maintenance or support, the vendor password is changed both at installation and after installation is complete; this control recognizes that different vendor personnel may be involved in installation and maintenance.

3.  Cardholder Data is Protected:  Reference NMU Acceptable Use Policy; PCI technology will only be used to process legitimate cardholder transactions.  Card data is kept only for the amount of time necessary to complete a transaction or settle a disputed transaction.  At no time will the full content of any track from the magnetic stripe be retained.  The card verification code and PIN verification value will never be stored or retained.  In general, only the cardholder name, PAN, expiration date, and service code are collected.  The PAN is masked (only the first six or last four digits displayed) on all POS printouts and on systems.  PANs, when stored, are rendered unreadable by strong cryptography.  Exceptions to encrypting PAN data will only be allowed for a time period defined by management as necessary to process disputed transactions.  Cryptographic keys are restricted to those employees with the absolute necessity to have access (for example, those responsible for re-keying).  The secure storage and use of cryptographic keys are controlled by the Information Technology/Information Services department and may include the use of a form stating that the employee understands and accepts the key-custodian responsibilities. 

4.  Cardholder Data is Encrypted when Transmitting across Public Networks:  Sending unencrypted PANs by any means, including e-mail, is strictly prohibited.  Industry best practices (for example IEEE 802.11i) are used for authentication a transmission of cardholder data.  Gateway service providers must be certified as PCI compliant and must appear on the VISA validated service provider listing.

5.  Anti-Virus Software:  All University computers and servers are loaded with antivirus software and are scheduled for daily updates.  Removing or modifying this antivirus software is strictly prohibited.   Changes to antivirus protection systems must be approved by I.T. management.  Any departments hosting PCI technology must still ensure that current and appropriate antivirus protection is active.

6a. Maintain Secure Systems:  Each host of PCI technology will determine a person or group of people responsible for identifying and applying software patches and new releases.  An accountability process for new releases and patches are developed and documented.  Patches are applied within 30 days of release date.  Good update controls must be in place.  These include documenting test results; test signoff by system users; review of all update documentation (which may include several sets of documentation if several updates are installed at one time); back-out procedures; sign-off by management; as well as assurance that live PAN data is not used in the testing.  Exceptions are reported to the Information Technology/Information Services department for review and assessment.

6b. Firewalls and Web-Facing Applications:  Public facing web applications developed by Northern Michigan University are subject to specific review.  In general, firewall installation, restricted URL access, and other current coding guidelines as described in “Open Web Application Security Project Guide,” must be used to review internally developed web-facing applications.

7a.   Restrict Access to Cardholder Data:  The standard for access restriction is “business need-to-know.”  The most basic restriction is the technology’s access restriction settings.  All access control settings begin with the default of “deny-all.”  Access is added based on management’s recommendation for the least privileges necessary to perform well-controlled business processes.    Access rights assigned are supported by documented management approval. 

7b.  Paper Records:  Reference NMU’s Records Retention Policy.  Employees are provided with equipment that will allow them to process card data without leaving information unsecured and unattended.  Where necessary, the department will purchase a lock-box or other security device to hold paper records until they can be processed and disposed of. 

7c.  Media Destruction:  Reference NMU’s Records Retention Policy.  Paper with cardholder data must be cross-cut shredded, incinerated, or pulped. 

8a.  Unique User Id is Assigned to Each User:  Each user of a PCI Technology system will have unique user identification.  This applies to the system administer as well as daily users.  No shared passwords or user ID’s are allowed.  

8b.  Authentication:  Remote access to PCI technology systems are authenticated by two factor authentication (for instance VPN certificates) or through ports opened specifically opened for vendor maintenance.   Ports automatically close after access or are not accessible by others. 

8c.  Passwords:  Passwords will meet the minimum standards of NMU’s (Oracle) Password policy:  In addition, due to PCI guidelines, password parameters for cardholder systems are required to change at least annually.  Where possible, passwords will be at least seven characters, include both alpha and numeric, and not repeatable.  Likewise, where possible, repeated attempts at access should result in disabled ID after no more than six attempts.   Finally, idle timeout or alternate workstation password queued screensaver should be set where possible. 

8d.  System Administrator:  Each system must be assigned a system administrator:  The system administrator is responsible for retaining documentation about user access, including access control authorization; removal of terminated employees; removal of inactive accounts; controlled process for verifying user identity before password resets; lockout timing; idle session controls; as well as communicating password management guidelines as allowed by the system to all users. 

8e.  Administrator Responsibility:  Each administrator is responsible for ensuring that the database holding cardholder data is properly secured to prevent unauthorized viewing, modification, or deletion.      

9a.  Physical Access Restrictions:  Servers, or any device that stores cardholder data, are physically secure from non-employees.  The University is insured against fraud, theft, and cyber fraud committed by employees.  Due to limits in this policy, vendors, service personal, visitors, delivery persons, etc. are never allowed unsupervised access to devices holding cardholder data.  The best option is to house servers in an I.T. area specially designed to secure these devices.   If this is not possible for department hosted PCI technology, other secure arrangements can be made, but must be approved by the department manager, the Risk Manager, and a representative of the Information Technology/Information Services department to meet PCI physical security requirements.

9b.  Retention and Disposal of Data:  All cardholder media is classified as confidential.  Holding, copying, or removing cardholder data is grounds for dismissal and evidence will be turned over to the University’s Public Safety department for possible prosecution.  Transmission of confidential media is prohibited except as explicitly approved and documented by a manager of the Information Technology/Information Services department.  Disposal of media should occur at the earliest time allowable.  Hardcopy materials are shredded, incinerated, or pulped.  Electronic media is rendered unrecoverable via secure industry-accepted deletion methods.   Materials scheduled for destruction, including paper media, must be secured (locked) to prevent copying or theft.  

9c.  Computer system back-ups:  Any media back-ups are stored in a secure location, preferably off-site.  Transmission and storage of back-ups is secure.

9d.  Cardholder media:  Any cardholder media stored over 90 days is subject to media inventories. It must be logged by media type, size, storage location, security classification, and destruction date.  Cardholder media stored for less than 90 days still must be justified by a legitimate business purposed and appropriately secured and stored. 

10.  Audit Trails:  Audit trails are enabled to record and identify system access.  Security logs are reviewed daily or programmatically sorted to flag critical issues.  Audit trails are held for a minimum of one year with at least three months immediately available.   

11.  Regular Testing of Security Systems:  All systems secured behind the university DMZ are scanned at the direction of the Information Technology/Information Services department.  PCI system networks are scanned quarterly.  The results are reviewed in a timely manner and vulnerabilities are corrected.  Rescanning has confirmed that any identified vulnerabilities have been corrected.   Department hosted PCI technology has been scanned by an approved scanning vendor.  Annual network and application penetration testing results have been reviewed with any required adjustments installed.  Any department hosted PCI technology is scanned and penetration tested at the department’s direction and cost.   Results must be forwarded to the Information Technology/Technical Services department for inclusion in the annual review.   

12.  Information Security Policy:   The I.T. areas, led by the Information Technology/Information Services department, will annually review the PCI network diagrams to ensure that it includes all PCI technology.  The diagram and list of PCI technology are updated to show additions, deletions, and changes.  Risk is assessed and I.T. will adjust processes and written procedures, and if necessary, policy and this standards document, to reflect decisions based on the risk assessment.    Department hosted PCI sites are required to send updated network diagrams and scan evidence the Information Technology/Technical Services department annually.  In addition, both the Information Technology/Information Services department and any department hosting PCI technology is required to submit current procedures to the Information Technology/Information Services department for inclusion in the annual review documentation.

13.  Compliance Certification:  NMU requires the use of only PCI compliant software applications and gateway services.  Software certification evidence is required for new vendors and for renewal of existing vendors.  All gateway service providers must appear on the Visa website.

14.  Incident Response:  An incident response plan names the contact persons in a team to address during and debrief after a fraud, attempted fraud, or removed data event is identified.  The plan, in short, describes the reasons that led to the incident, any actions or mitigation that is developed to address the incident, and the action taken to prevent future occurrences.