top of page
This site was designed with the
.com
website builder. Create your website today.Start Now

Credit Card Security Policies

Credit Card Security Policies

PCI DSS 3.0

Version 1.0 - 02/2016

 

 

CONFIDENTIAL INFORMATION

This document is the property of Coast 2 Coast E Solutions; it contains information that is proprietary, confidential, or otherwise restricted from disclosure. If you are not an authorized recipient, please return this document to the above-named owner. Dissemination, distribution, copying or use of this document in whole or in part by anyone other than the intended recipient is strictly prohibited without prior written permission of Coast 2 Coast E Solutions.

 

Revision History 

Changes

Approving Manager

Date

Initial Publication

 

 

 

Introduction and Scope

Introduction

 

This document explains Coast 2 Coast E Solutions’s credit card security requirements as required by the Payment Card Industry Data Security Standard (PCI DSS) Program.  Coast 2 Coast E Solutions management is committed to these security policies to protect information utilized by Coast 2 Coast E Solutions in attaining its business goals.  All employees are required to adhere to the policies described within this document.

Scope of Compliance

 

The PCI requirements apply to all systems that store, process, or transmit cardholder data.  Currently, Coast 2 Coast E Solutions’s cardholder environment consists only of limited payment applications (typically point-of-sale systems) connected to the internet, but does not include storage of cardholder data on any computer system. 

 

Due to the limited nature of the in-scope environment, this document is intended to meet the PCI requirements as defined in Self-Assessment Questionnaire (SAQ) C-VT, ver. 3.0, released February, 2014.  Should Coast 2 Coast E Solutions implement additional acceptance channels, add additional connected systems, begin storing cardholder data in electronic format, or otherwise become ineligible to validate compliance under SAQ C-VT, it will be the responsibility of Coast 2 Coast E Solutions to determine the appropriate compliance criteria and implement additional policies and controls as needed.

 

Requirement 1:  Build and Maintain a Secure Network

 

Firewall Configuration

 

Firewalls must restrict connections between untrusted networks and any system in the cardholder data environment.  An “untrusted network” is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity’s ability to control or manage. Access to the internet must be through a firewall, as must any direct connection to a vendor, processor, or service provider. (PCI Requirement 1.2)

Inbound and outbound traffic must be restricted by the firewalls to that which is necessary for the cardholder data environment.  All other inbound and outbound traffic must be specifically denied. (PCI Requirement 1.2.1)

All open ports and services must be documented.  Documentation should include the port or service, source and destination, and a business justification for opening said port or service. (PCI Requirement 1.2.1)

Perimeter firewalls must be installed between any wireless networks and the cardholder data environment.  These firewalls must be configured to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. (PCI Requirement 1.2.3)

 

Firewall configuration must prohibit direct public access between the Internet and any system component in the cardholder data environment as follows:

 

  • Direct connections are prohibited for inbound and outbound traffic between the Internet and the cardholder data environment. (PCI Requirement 1.3.3)

  • Outbound traffic from the cardholder data environment to the Internet must be explicitly authorized by management and controlled by the firewall. (PCI Requirement 1.3.5)

  • Firewalls used to protect the cardholder data environment must implement stateful inspection, also known as dynamic packet filtering. (PCI Requirement 1.3.6)

  •  

Any mobile and/or employee-owned computers with direct connectivity the Internet (for example, laptops used by employees), which also have the ability to access the organization’s cardholder data environment must have a local (personal) software firewall installed and active.  This firewall must be configured to specific standards, and not alterable by mobile and/or employee-owned computer users. (PCI Requirement 1.4)

 

Requirement 2:  Do not use Vendor-Supplied Defaults for System Passwords and Other Security Parameters

Vendor Defaults

 

Vendor-supplied defaults must always be changed before installing a system on the network.  Examples of vendor-defaults include passwords, SNMP community strings, and elimination of unnecessary accounts. (PCI Requirement 2.1)

Default settings for wireless systems must be changed before implementation.  Wireless environment defaults include, but are not limited to: (PCI Requirement 2.1.1)

 

  • Default encryption keys

  • Passwords

  • SNMP community strings

  • Default passwords/passphrases on access points

  • Other security-related wireless vendor defaults as applicable

 

Firmware on wireless devices must be updated to support strong encryption (such as WPA or WPA2) for authentication and transmission of data over wireless networks.

 

Configuration Standards for Systems

 

Configuration standards for all system components must be developed and enforced. Coast 2 Coast E Solutions must insure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.

Configuration standards must be updated as new vulnerability issues are identified, and they must be enforced on any new systems before they are added to the cardholder data environment. The standards must cover the following:

 

  • Enabling only necessary services, protocols, daemons, etc., as required for the function of the system. (PCI Requirement 2.2.2)

  • Implementing additional security features for any required services, protocols or daemons that are considered to be insecure. (PCI Requirement 2.2.3)

  • Configuring system security parameters to prevent misuse.

  • Removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. (PCI Requirement 2.2.5)

 

System administrators and any other personnel that configure system components must be knowledgeable about common security parameter settings for those system components. They must also be responsible to insure that security parameter settings set appropriately on all system components before they enter production. (PCI Requirement 2.2.4)

Non-Console Administrative Access

Credentials for non-console administrative access must be encrypted using technologies such as SSH, VPN, or SSL/TLS. Encryption technologies must include the following: (PCI Requirement 2.3)

  • Must use strong cryptography, and the encryption method must be invoked before the administrator’s password is requested.

  • System services and parameter files must be configured to prevent the use of telnet and other insecure remote login commands.

  • Must include administrator access to web-based management interfaces.

  • Use vendor documentation and knowledge of personnel to verify that strong cryptography is in use for all non-console access and that for the technology in use it is implemented according to industry best practices and vendor recommendations.

Requirement 3:  Protect Stored Cardholder Data

Prohibited Data

Processes must be in place to securely delete sensitive authentication data (defined below) post-authorization so that the data is unrecoverable.

Payment systems must not store of sensitive authentication data in any form after authorization (even if encrypted). Sensitive authentication data is defined as the following:

  • The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored under any circumstance. (PCI Requirement 3.2.2)

  • The personal identification number (PIN) is not stored under any circumstance. (PCI Requirement 3.2.3)

 

Displaying PAN 

Coast 2 Coast E Solutions will mask the display of PANs (primary account numbers), and limit viewing of PANs to only those employees and other parties with a legitimate need. A properly masked number will show at most only the first six and the last four digits of the PAN. This requirement does not supersede stricter requirements in place for displays of cardholder data—for example, legal or payment card brand requirements for point-of-sale (POS) receipts. Policies and procedures for masking the display of PANs must mandate the following: (PCI requirement 3.3)

  • A list of roles that need access to displays of full PAN is documented, together with a legitimate business need for each role to have such access.

  • PAN must be masked when displayed such that only personnel with a legitimate business need can see the full PAN.

  • All other roles not specifically authorized to see the full PAN must only see masked PANs.

Requirement 4:  Encrypt Transmission of Cardholder Data Across Open, Public Networks

Transmission of Cardholder Data

In order to safeguard sensitive cardholder data during transmission over open, public networks, Coast 2 Coast E Solutions will use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.). These controls will be implemented as follows: (PCI Requirement 4.1)

  • Only trusted keys and certificates are accepted.

  • The protocol in use only supports secure versions or configurations.

  • The encryption strength is appropriate for the encryption methodology in use.

 

Industry best practices (for example, IEEE 802.11i) must be used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment. Weak encryption (for example, WEP, SSL version 2.0 or older) is not to be used as a security control for authentication or transmission. (PCI Requirement 4.1.1)

Sending unencrypted PANs by end-user messaging technologies is prohibited.  Examples of end-user technologies include email, instant messaging and chat. (PCI requirement 4.2)

 

Requirement 5: use and Regularly Update Anti-Virus Software or Programs

Anti-Virus Protection

All systems, particularly personal computers and servers commonly affected by viruses, must have installed an anti-virus program which is capable of detecting, removing, and protecting against all know types of malicious software. (PCI Requirement 5.1, 5.1.1)

 

For systems considered to be not commonly affected by malicious software, Coast 2 Coast E Solutions will perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. (PCI Requirement 5.1.2)

 

All anti-virus programs must be kept current through automatic updates, be actively running, be configured to run periodic scans, and be capable of as well as configured to generate audit logs. Anti-virus logs must also be retained in accordance with PCI requirement 10.7. (PCI Requirement 5.2)

 

Steps must be taken to insure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. (PCI Requirement 5.3)

 

Requirement 6:  Develop and Maintain Secure Systems and Applications

Risk and Vulnerability

Coast 2 Coast E Solutions will establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.

Risk rankings are to be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score, and/or the classification by the vendor, and/or type of systems affected. Methods for evaluating vulnerabilities and assigning risk ratings will vary based on an organization’s environment and risk-assessment strategy. Risk rankings should, at a minimum, identify all vulnerabilities considered to be a “high risk” to the environment. In addition to the risk ranking, vulnerabilities may be considered “critical” if they pose an imminent threat to the environment, impact critical systems, and/or would result in a potential compromise if not addressed. Examples of critical systems may include security systems, public-facing devices and systems, databases, and other systems that store, process, or transmit cardholder data. (PCI Requirement 6.1)

All critical security patches must be installed with one month of release. This includes relevant patches for operating systems and all installed applications. All applicable non-critical vendor-supplied security patches are installed within an appropriate time frame (for example, within three months). (PCI Requirement 6.2)

 

Requirement 7:  Restrict Access to Cardholder Data by Business Need to Know

Limit Access to Cardholder Data

Access to Coast 2 Coast E Solutions’s cardholder system components and data is limited to only those individuals whose jobs require such access. (PCI Requirement 7.1)

Access limitations must include the following:

Access rights for privileged user IDs must be restricted to the least privileges necessary to perform job responsibilities. (PCI Requirement 7.1.2)

Privileges must be assigned to individuals based on job classification and function (also called “role-based access control). (PCI Requirement 7.1.3)

 

Requirement 9:  Restrict Physical Access to Cardholder Data

Physically Secure All Areas and Media Containing Cardholder Data

Hard copy materials containing confidential or sensitive information (e.g., paper receipts, paper reports, faxes, etc.) are subject to the following storage guidelines:

All media must be physically secured.

Strict control must be maintained over the internal or external distribution of any kind of media containing cardholder data.These controls shall include:

  • Media must be classified so the sensitivity of the data can be determined. (PCI Requirement 9.6.1)

  • Media must be sent by a secure carrier or other delivery method that can be accurately tracked. (PCI Requirement 9.6.2)

  • Management approval must be obtained prior to moving the media from the secured area. (PCI Requirement 9.6.3)

Strict control must be maintained over the storage and accessibility of media containing cardholder data.

Destruction of Data

All media containing cardholder data must be destroyed when no longer needed for business or legal reasons.

Hardcopy media must be destroyed by shredding, incineration or pulping so that cardholder data cannot be reconstructed.

Containers storing information waiting to be destroyed must be secured (locked) to prevent access to the contents by unauthorized personnel.

 

Requirement 12:Maintain a Policy that Addresses Information Security for Employees and Contractors

Security Policy

Coast 2 Coast E Solutions shall establish, publish, maintain, and disseminate a security policy that addresses how the company will protect cardholder data.

This policy must be reviewed at least annually, and must be updated as needed to reflect changes to business objectives or the risk environment.

Critical Technologies

Coast 2 Coast E Solutions shall establish usage policies for critical technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, tablets, personal data/digital assistants (PDAs), email, and internet usage.

These policies must include the following:

  • Explicit approval by authorized parties to use the technologies. (PCI Requirement 12.3.1)

  • A list of all such devices and personnel with access. (PCI Requirement 12.3.3)

  • Acceptable uses of the technologies. (PCI Requirement 12.3.5)

 

Security Responsibilities

Coast 2 Coast E Solutions’s policies and procedures must clearly define information security responsibilities for all personnel.

Incident Response Policy

The Adminshall establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.

Incident Identification

Employees must be aware of their responsibilities in detecting security incidents to facilitate the incident response plan and procedures.  All employees have the responsibility to assist in the incident response procedures within their particular areas of responsibility.  Some examples of security incidents that an employee might recognize in their day to day activities include, but are not limited to,

  • Theft, damage, or unauthorized access (e.g., papers missing from their desk, broken locks, missing log files, alert from a security guard, video evidence of a break-in or unscheduled/unauthorized physical entry).

  • Fraud – Inaccurate information within databases, logs, files or paper records.

Reporting an Incident

The Admin should be notified immediately of any suspected or real security incidents involving cardholder data:

Contact the Adminto report any suspected or actual incidents. The Internal Audit’s phone number should be well known to all employees and should page someone during non-business hours.

No one should communicate with anyone outside of their supervisor(s) or the Admin about any details or generalities surrounding any suspected or actual incident.  All communications with law enforcement or the public will be coordinated by the Admin

Document any information you know while waiting for the Admin to respond to the incident. If known, this must include date, time, and the nature of the incident. Any information you can provide will aid in responding in an appropriate manner.

 

Incident Response Policy

Responses can include or proceed through the following stages: identification, severity classification, containment, eradication, recovery and root cause analysis resulting in improvement of security controls.

Contain, Eradicate, Recover and perform Root Cause Analysis

  1. Notify applicable card associations. 

Visa

Provide the compromised Visa accounts to Visa Fraud Control Group within ten (10) business days. For assistance, contact 1-(650)-432-2978. Account numbers must be securely sent to Visa as instructed by the Visa Fraud Control Group. It is critical that all potentially compromised accounts are provided. Visa will distribute the compromised Visa account numbers to issuers and ensure the confidentiality of entity and non-public information.See Visa’s “What to do if compromised” documentation for additional activities that must be performed.That documentation can be found at http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_what_to_do_if_compromised.pdf

  •  

Contact your merchant bank for specific details on what to do following a compromise.Details on the merchant bank (aka. the acquirer) can be found in the Merchant Manual at http://www.mastercard.com/us/wce/PDF/12999_MERC-Entire_Manual.pdf.  Your merchant bank will assist when you call MasterCard at 1-(636)-722-4100.

Discover Card

Contact your relationship manager or call the support line at 1-(800)-347-3083 for further guidance.

  1. Alert all necessary parties. Be sure to notify:

  2. Merchant bank

  3. Local FBI Office

  4. U.S. Secret Service (if Visa payment data is compromised)

  5. Local authorities (if appropriate)

  1. Perform an analysis of legal requirements for reporting compromises in every state where clients were affected. The following source of information must be used:    http://www.ncsl.org/programs/lis/cip/priv/breach.htm

  2. Collect and protect information associated with the intrusion.  In the event that forensic investigation is required the Admin will work with legal and management to identify appropriate forensic specialists.

  3. Eliminate the intruder's means of access and any related vulnerabilities.

  4. Research potential risks related to or damage caused by intrusion method used.

Root Cause Analysis and Lessons Learned

Not more than one week following the incident, members of the Admin and all affected parties will meet to review the results of any investigation to determine the root cause of the compromise and evaluate the effectiveness of the Incident Response Plan. Review other security controls to determine their appropriateness for the current risks. Any identified areas in which the plan, policy or security control can be made more effective or efficient, must be updated accordingly.

Security Awareness

Coast 2 Coast E Solutions shall establish and maintain a formal security awareness program to make all personnel aware of the importance of cardholder data security.

Service Providers

Coast 2 Coast E Solutions shall implement and maintain policies and procedures to manage service providers. (PCI requirement 12.8)

 

This process must include the following:

 

  • Maintain a list of service providers. (PCI requirement 12.8.1)

  • Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of the cardholder data the service providers possess. (PCI requirement 12.8.2)

  • Implement a process to perform proper due diligence prior to engaging a service provider. (PCI requirement 12.8.3)

  • Monitor service providers’ PCI DSS compliance status. (PCI requirement 12.8.4)
     

  • Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity. (PCI requirement 12.8.5)

 

Disclaimer

bottom of page