Office of the State Treasurer (OST)
Payment Card Industry Data Security Standards (PCI DSS) Risk Assessment – Terminals & Hosted Solutions
OST Cash Management Policy 02 18 13.PO “Data Security” requires all state organizations to comply with PCI DSS and states that, “Agency management will annually review financial transaction related data security.” This form has been designed to assist organizations in conducting a financial transaction related data security review based on PCI DSS. This form can be used by organizations that use terminals to process point-of-sale and mail/telephone orders. It is also applicable for organizations that use a vendor hosted solution to process point-of-sale, mail/telephone and/or e-commerce transactions. With a hosted solution, the organization contracts out the processing, transmission, and storage of debit/credit card transactions to a 3rd party. Organization staff typically access the vendor hosted solution through a web browser to enter point-of-sale and mail/telephone initiated debit/credit card transactions, and e-commerce transactions are processed directly by the hosted solution. State organizations using a software solution that resides on their network (i.e. the software application is loaded on a network server) cannot use this form for their data security review. These organizations will need to work directly with OST staff to complete their initial PCI DSS risk assessment. State Organization Name: OREGON STATE UNIVERSITY Unit/Section/Division: Contact Name/Title: Contact Phone #: Contact E-mail: Merchant Account Name(s): Merchant ID(s) – Visa/MC: Merchant ID(s) – Discover: Terminal (USING CARD SWIPE MACHINE)
Purchased/Leased from US Bank Purchased/Leased from a 3rd party vendor Make/Model of Terminal: Software/Version #: Vendor:
Hosted Solution (USING WEB OR ONLINE APPLICATION) Vendor Name: Application Name: Types of Transaction Processed: Point-of-Sale Mail 265f399f-0bc2-4de6-9b6f-3c5d22110906.doc
Telephone
E-commerce
Page 1
�Purpose of this Risk Assessment Form: This form has been designed to assist state organizations and OST in evaluating each organization’s level of compliance with PCI DSS. OST does not expect that organizations will be fully compliant with all requirements listed in this form initially. Each organization’s goal for this process should be to identify areas of non-compliance, prioritize remediation activities based on risk, and complete those activities no later than June 30 each year. Definitions and Guidance for Fields within this Form PCI DSS: Payment Card Industry Data Security Standards PAN: Primary Account Number Applicability: this field tells the user if the PCI DSS section and related test are applicable to their environment. Users should complete all sections that are applicable (indicated by a environment name). PCI DSS Section: this field contains the PCI DSS sections (version 1.1 of the Standard) that are applicable to agencies and organizations that use terminals or hosted solutions. Risk Assessment: this field contains procedures designed to assist the user in determining their level of compliance with the related PCI DSS section. Procedures have been developed based on the PCI DSS Security Audit Procedures (version 1.1) document issued by Visa/MasterCard. This field also contains “best practice” information designed to assist the agency/organization in reducing risk associated with the processing of debit/credit card transactions. Compliance with “best practice” guidance is not required, but should be considered during your review of business practices and objectives. Complies?: following completion of the related risk assessment procedure, check the appropriate box to indicate if your organization is in compliance with the requirements of the PCI DSS Section. Risk Level: If your organization is not in compliance with the requirements of the PCI DSS section, check the appropriate box to indicate the level of risk noncompliance places on your organization. In general, the following guidance can be used: High – the organization has no controls in place to ensure compliance with this requirement. Noncompliance puts the agency/organization at significant risk for a loss of debit/credit card transaction data. Moderate – the organization has partially implemented controls/processes needed to ensure compliance with this requirement. The agency/organization is at moderate risk for a loss of debit/credit card transaction data. Low – the organization has implemented most if not all of the controls/processes needed to ensure compliance with this requirement. Remaining work is minimal, and does not put the organization at risk for a loss of debit/credit card transaction data. Describe How You Comply OR Document Remediation Plan: describe how your organization has achieved compliance with the related PCI DSS section OR describe your plan to achieve compliance, including the names of staff members who will be responsible for completing the remediation steps, and the estimated completion date. Deadlines Remediation plans must allow the organization to achieve compliance with PCI DSS no later than June 30. June 30– State organizations must submit this form, indicating full compliance with all listed PCI DSS requirements, by June 30. Questions/Assistance Please contact OSU Cashier’s Office at 7-2597. proceeding the
See OSU eCommerce Policy in the FIS Manual at: http://oregonstate.edu/dept/budgets/FISManual/FIS1401-06.htm
265f399f-0bc2-4de6-9b6f-3c5d22110906.doc Page 2
�Applicability Terminal Hosted Solution
PCI DSS Section 3.1 Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.
Risk Assessment
Complies? Yes No
Risk Level High Moderate Low
Describe How You Comply OR Document Remediation Plan
Best Practice: Do not store full credit card numbers and expiration dates. Review business practices and identify all opportunities to remove or redact this information from hard copy and electronic files maintained by your organization. If you must store receipts/forms with the full credit card number, do not retain these documents for more than 36 months. Receipts with truncated card numbers should be retained for 6 years (exception: retain receipts for Discover card purchases for 7 years) For terminals, most vendors can provide a software update that will truncate merchant and vendor copies of receipts, as well as daily reports. Refunds can typically be handled through your processor’s customer service unit, if the customer is not available to provide their number. Most hosted solutions truncate credit card numbers for receipts, reports, and on-line access. These systems can process a refund without re-inputting the card number. P.S. Do not image documents with full debit/credit card numbers. Redact or remove this information prior to imaging, as storing this information electronically can expose your organization to additional PCI DSS compliance requirements. ----------------------------------------------------------------------Review policies/procedures addressing data retention and disposal. Verify that this guidance includes, at a minimum: Statutory, contractual and business requirements for retention of cardholder data Provisions for the disposal of cardholder data when no longer needed Provisions for the storage of cardholder data in all formats used by the organization (hard copy, electronic files, database, etc). A programmatic process for the removal, at least on a quarterly basis, of stored cardholder data that has reached its retention date.
265f399f-0bc2-4de6-9b6f-3c5d22110906.doc
Page 3
�265f399f-0bc2-4de6-9b6f-3c5d22110906.doc
Page 4
�Applicability Terminal Hosted Solution
PCI DSS Section 3.2 Do not store sensitive authentication data subsequent to authorization (even if encrypted). Sensitive authentication data includes the data as cited in the following Requirements 3.2.1 through 3.2.3: 3.2.1 Do not store the full contents of any track from the magnetic stripe (that is on the back of a card, in a chip or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic stripe data 3.2.2 Do not store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions 3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block. 3.3 Mask PAN (account number) when displayed (the first six and last four digits are the maximum number of digits to be displayed). Note: This requirement does not apply to employees and other parties with a specific need to see the full PAN; nor does the requirement supersede stricter requirements in place for displays of cardholder data (for example, for point of sale [POS] receipts). 4.1 Use strong cryptography and security protocols such as secure sockets layer (SSL) / transport layer security (TLS) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks. Examples of open, public networks that are in scope of the PCI DSS are the Internet, WiFi (IEEE 802.11x), global system for mobile communications (GSM), and general packet radio service (GPRS).
Risk Assessment Terminals: verify that the software running on your terminal(s) does not store the full contents of any track from the magnetic stripe, the card-validation code or value used to verify card-notpresent transactions, or the personal identification number (PIN) or the encrypted PIN block. Recommended Action: contact your terminal provider and request that they verify this to you in writing. Hosted Solutions: Hosted solutions that are PCI DSS compliant do not store sensitive authentication data subsequent to authorization. Recommended Action: verify that your service provider is PCI DSS compliant by reviewing Visa’s list of compliant service providers or request proof of compliance from the service provider in writing.
Complies? Yes No
Risk Level High Moderate Low
Describe How You Comply OR Document Remediation Plan
Terminal Hosted Solution
Terminals: verify that, at a minimum, credit card numbers are truncated on customer receipts and documentation. Hosted Solutions: verify that, at a minimum, credit card numbers are truncated on customer receipts/documentation. Review screens and reports available to staff through the hosted solution to verify that credit card numbers are masked. Terminals: if your terminal uses a dedicated landline, this is not an issue. However, if your organization is using Voice Over IP (VOIP) for communication verify that all transmissions are encrypted (review system documentation/ manuals and confirm with your vendor that processing software is set to encrypt transmissions). Hosted Solution: verify through review of system documentation/manuals and confirmation with your vendor that all sessions are encrypted. Review screens available to staff to determine if encryption is active (click on small yellow padlock in the lower right corner of the screen to verify). Best Practice: Use a vendor that has certified PCI DSS compliance for their software or hosted solution. A list of certified software solutions can be found at Validated Payment
Yes No
High Moderate Low
Terminal Hosted Solution
Yes No N/A
High Moderate Low
265f399f-0bc2-4de6-9b6f-3c5d22110906.doc
Page 5
�Applicability Terminal Hosted Solution
PCI DSS Section 4.1.1 For wireless networks transmitting cardholder data, encrypt the transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following: • Use with a minimum 104-bit encryption key and 24 bitinitialization value • Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or SSL/TLS • Rotate shared WEP keys quarterly (or automatically if the technology permits) • Rotate shared WEP keys whenever there are changes in personnel with access to keys • Restrict access based on media access code (MAC) address. 4.2 Never send unencrypted PANs by e-mail.
Applications. Compliant service providers are listed at Visa Compliant Service Providers. Risk Assessment Terminals: this is only applicable if you use a wireless terminal, or if your terminal has this capability. If your terminal uses wireless communication or can use this option, verify that all transmissions are encrypted or that this option is disabled for your terminal (review system documentation/ manuals and confirm with your vendor that processing software is set to encrypt transmissions or option is disabled). Hosted Solutions: this is only applicable if you use a wireless network to access the hosted solution, or could use your network’s wireless functionality to do so. Verify through discussion with your Information Systems group that your wireless network meets the encryption requirements of 4.1.1 or verify through review of internal policies/procedures that access via wireless is strictly prohibited.
Complies? Yes No N/A
Risk Level High Moderate Low
Describe How You Comply OR Document Remediation Plan
Terminal Hosted Solution
Terminal Hosted Solution
5.1 Deploy anti-virus software on all systems commonly affected by viruses (particularly personal computers and servers) Note: Systems commonly affected by viruses typically do not include UNIX-based operating systems or mainframes. 5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software, including spyware and adware. 5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs.
Review policies/procedures addressing the use of e-mail. Ensure that the transmission of debit/credit card numbers via email is specifically prohibited unless the sender has the ability to encrypt e-mail. If e-mail encryption is available, ensure that the policy/procedure requires staff to encrypt all e-mail containing debit/credit card numbers. Talk with staff members responsible for debit/credit card transaction processing to ensure that they are aware of this requirement. Hosted Solutions: talk with your Information Technology group to verify that personal computers and servers used to access the hosted solution have anti-virus programs installed that are capable of detecting, removing, and protecting against viruses and other forms of malicious software, including spyware and adware.
Yes No
High Moderate Low
Yes No
High Moderate Low
Terminal Hosted Solution
Hosted Solutions: talk with your Information Technology group to verify that anti-virus programs cannot be modified or turned off by non-IT staff members, and that they are set to update automatically (or, at a minimum, at least once every 24
Yes No
High Moderate Low
265f399f-0bc2-4de6-9b6f-3c5d22110906.doc
Page 6
�Applicability Terminal Hosted Solution
PCI DSS Section 7.1 Limit access to computing resources and cardholder information only to those individuals whose job requires such access.
hours). Review several machines used to access the hosted solution and verify that anti-virus software is current, actively running and capable of generating audit logs. Risk Assessment Hosted Solutions: Verify that written policies/procedures addressing debit/credit card processing and access control exist, and incorporate the following: Staff access rights must be limited to the least privileges necessary to perform their assigned job functions. Assignment of privileges is based on the staff member’s job classification and function An authorization form signed by the staff member’s manager that specifies required privileges (or a process that is equivalent and documented in writing) is required for access. A requirement that any solution used must include an automated access control system that supports access levels based on job function. Hosted Solutions: Examine system settings and vendor documentation to verify that an access control system is implemented and that is includes the following: Coverage of all system components (for example, transaction entry screens, reporting, and system administration) Assignment of privileges to individuals based on job classification and function Default “deny-all” setting (some access control systems are set by default to “allow-all” thereby permitting access unless/until a rule is written to specifically deny it) Hosted Solution: Obtain a current listing of all user IDs and verify that all users have a unique username for access to system components or cardholder data. Hosted Solution: Obtain and examine system documentation and written policies/procedures describing the authentication method used to obtain access to the hosted solution. For each level of access (i.e. transaction processing, refunding, administration) observe a staff member signing on to the hosted solution to verify that authentication is functioning consistent with documented processes (for example, verify that each user must enter their user ID and password to gain access to the
Complies? Yes No
Risk Level High Moderate Low
Describe How You Comply OR Document Remediation Plan
Terminal Hosted Solution
7.2 Establish a mechanism for systems with multiple users that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed.
Yes No
High Moderate Low
Terminal Hosted Solution Terminal Hosted Solution
8.1 Identify all users with a unique user name before allowing them to access system components or cardholder data. 8.2 In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: • Password • Token devices (e.g., SecureID, certificates, or public key) • Biometrics.
Yes No Yes No
High Moderate Low High Moderate Low
265f399f-0bc2-4de6-9b6f-3c5d22110906.doc
Page 7
�system).
265f399f-0bc2-4de6-9b6f-3c5d22110906.doc
Page 8
�Applicability Terminal Hosted Solution
PCI DSS Section 8.5 Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows: 8.5.1 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects
Risk Assessment Hosted Solutions: Review written policies/procedures and interview personnel to verify that procedures are implemented for user authentication and password management. Perform the following tests as part of this process: Select a sample of user IDs, including both administrators and general users. Verify that each user is authorized to use the system (examine the signed authorization form and compare to system access settings) Examine password procedures and observe security personnel to verify that, if a user requests a password reset by phone, email, web, or other non-face-to-face method, the user’s identity is verified before the password is reset. Examine password procedures and observe security personnel to verify that first-time passwords for new users are set to a unique value for each user and changed after first use. Select a sample of employees terminated in the past six months and review current user access lists to verify that their IDs were inactivated or removed within 24 hours of termination. Review a current listing of user IDs and verify that there are no inactive accounts over 90 days old. Interview several staff members to verify that they are familiar with password procedures and policies. Examine access policies/procedures to verify that group and shared IDs/passwords are explicitly prohibited. Interview system administrators to verify that group and shared IDs/passwords are not distributed, even if requested by management. Review user documentation provided by the vendor to verify that user passwords are required to change at least every 90 days, and that users are given guidance as to when, and under what circumstances, passwords must change. Review user documentation provided by the vendor to verify that user passwords are required to meet minimum length requirements (at least seven characters). Review user documentation provided by the vendor to verify that user passwords are required to contain both numeric and alphabetic characters.
Complies? Yes No
Risk Level High Moderate Low High Moderate Low High Moderate Low High Moderate Low High Moderate Low High Moderate Low High Moderate Low High Moderate Low
Describe How You Comply OR Document Remediation Plan
Yes No
8.5.2 Verify user identity before performing password resets
Yes No
8.5.3 Set first-time passwords to a unique value for each user and change immediately after the first use 8.5.4 Immediately revoke access for any terminated users 8.5.5 Remove inactive user accounts at least every 90 days 8.5.7 Communicate password procedures and policies to all users who have access to cardholder data 8.5.8 Do not use group, shared, or generic accounts and passwords
Yes No Yes No Yes No Yes No Yes No
8.5.9 Change user passwords at least every 90 days
Yes No
High Moderate Low High Moderate Low High Moderate Low
8.5.10 Require a minimum password length of at least seven characters 8.5.11 Use passwords containing both numeric and alphabetic characters
Yes No Yes No
265f399f-0bc2-4de6-9b6f-3c5d22110906.doc
Page 9
�Applicability
PCI DSS Section 8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used 8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts 8.5.14 Set the lockout duration to thirty minutes or until administrator enables the user ID 8.5.15 If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal 9.6 Physically secure all paper and electronic media (including computers, electronic media, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes) that contain cardholder data.
Risk Assessment Review user documentation provided by the vendor to verify that new user passwords cannot be the same as the previous four passwords. Review user documentation provided by the vendor to verify that user accounts are temporarily locked-out after no more than six invalid access attempts. Review user documentation provided by the vendor to verify that once a user is locked out, they remain locked out for at least 30 minutes or until an administrator resets their account. Review user documentation provided by the vendor to verify that system/session idle time out features have been set to 15 minutes or less. Terminals: ensure that terminals are physically secured when not in use. Ensure that all staff members are trained on terminal use, and how to identify signs of tampering. Verify that paper and electronic media containing full debit/credit card numbers is stored in a secure location (locked filing cabinet or office, secure filing room). Hosted Solution: Ensure that PCs used to process debit/credit card transactions are not accessible to the public, and that staff are required to log off or initiate a password-protected screen saver when leaving the PC’s physical location. Ensure that all staff members are trained on how to identify signs of tampering (i.e. new hardware devices “attached” to the PC). Ensure that receipts, documents and reports generated by the hosted solution do not contain full debit/credit card numbers. Verify that paper and electronic media containing full debit/credit card numbers is stored in a secure location (locked filing cabinet or office, secure filing room). Do not store electronic files (spreadsheets, imaged documents, word processing documents, etc) with full debit/credit card numbers on your network or PC hard drive unless they are secured through access control and encryption. Note: keys and other “access” devices such as key cards must also be secured. If all staff know their location, or can readily obtain them, this requirement is not met.
Complies? Yes No Yes No Yes No Yes No Yes No
Risk Level High Moderate Low High Moderate Low High Moderate Low High Moderate Low High Moderate Low
Describe How You Comply OR Document Remediation Plan
Terminal Hosted Solution
265f399f-0bc2-4de6-9b6f-3c5d22110906.doc
Page 10
�Applicability
PCI DSS Section
Risk Assessment Best Practice: limit storage of full debit/credit card numbers to what is absolutely necessary to conduct business. Do not store full debit/credit card numbers in any format (database, word or spreadsheet documents, imaged documents, etc) on your network or PC hard drive. Identify business processes that currently require the retention of this information, and work with internal support staff, your vendor and the Office of the State Treasurer to identify options to reduce or eliminate storage. Review debit/credit card processing policies/procedures to verify that procedures exist to control distribution of media (hard copy and electronic) containing cardholder data. Select a sample of debit/credit card transactions and verify that supporting documents that include full debit/credit card numbers are identified as “confidential” and stored securely. If media is sent off site, ensure that a log is kept of all off site media, and media is transported by secured courier or another delivery method that can be accurately tracked. Review policies/procedures addressing the maintenance and storage of hardcopy and electronic media containing cardholder data and verify that periodic media inventories are required. Obtain and review documentation of the last inventory conducted, and review inventory processes to verify that media was securely stored at the time the inventory was conducted. Review policies/procedures addressing the destruction of media containing cardholder data. Confirm the following: All hard copy materials must be cross-cut shredded, incinerated, or pulped. Storage containers used for media to be destroyed are secure (containers are locked; individuals cannot reach through opening and pull out documents) All electronic media (backup tapes, CDs, thumb drives) is destroyed beyond recovery by using a military wipe program to delete files, or via degaussing or otherwise physically destroying the media.
Complies?
Risk Level
Describe How You Comply OR Document Remediation Plan
Terminal Hosted Solution
9.7 Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data including the following: 9.7.1 Classify the media so it can be identified as confidential 9.7.2 Send the media by secured courier or other delivery method that can be accurately tracked.
Yes No
High Moderate Low
Terminal Hosted Solution
9.9 Maintain strict control over the storage and accessibility of media that contains cardholder data. 9.9.1 Properly inventory all media and make sure it is securely stored.
Yes No
High Moderate Low
Terminal Hosted Solution
9.10 Destroy media containing cardholder data when it is no longer needed for business or legal reasons as follows: 9.10.1 Cross-cut shred, incinerate, or pulp hardcopy materials 9.10.2 Purge, degauss, shred, or otherwise destroy electronic media so that cardholder data cannot be reconstructed.
Yes No
High Moderate Low
265f399f-0bc2-4de6-9b6f-3c5d22110906.doc
Page 11
�Applicability Terminal Hosted Solution
PCI DSS Section 12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes the following: 12.1.1 Addresses all requirements in this specification 12.1.2 Includes an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment 12.1.3 Includes a review at least once a year and updates when the environment changes. 12.2 Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures). 12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all employees and contractors 12.5 Assign to an individual or team the following information security management responsibilities: 12.5.1 Establish, document, and distribute security policies and procedures 12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel 12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations 12.5.4 Administer user accounts, including additions, deletions, and modifications 12.5.5 Monitor and control all access to data.
Risk Assessment Obtain and examine the organization’s security policy addressing debit/credit card transaction. Ensure that this policy: Requires the organization and all relevant staff members to maintain compliance with PCI DSS. Requires the organization to complete an annual risk assessment addressing debit/credit card activity. Requires staff to review the policy at least once a year and whenever the card processing environment or business objectives changes. Obtain and review daily operating procedures for debit/credit card transaction processing. Verify that procedures are consistent with PCI DSS requirements, and include guidance for both administrators and regular users. Verify that debit/credit card security policies/procedures clearly define information security responsibilities for employees and any 3rd party contractors hired to process debit/credit card transactions on behalf of the organization. Verify that the organization has formally assigned (i.e. within written policies or position descriptions) responsibility for debit/credit card transaction security to one or more members of management. Formally assigned duties must include: The development and distribution of security policies and procedures related to debit/credit card transactions. The monitoring and analysis of security alerts and information, including the distribution of this information to IT and business managers & staff. The development, distribution and formal testing of incident response and escalation procedures in the event of a debit/credit card data breach Administration of user accounts, including user authentication, additions, deletions and modifications of user access. Responsibility for monitoring and controlling all access to data.
Complies? Yes No
Risk Level High Moderate Low
Describe How You Comply OR Document Remediation Plan SEE: http://oregonstate.edu/dept/budgets/FISManual/FIS140106.htm
Terminal Hosted Solution
Yes No
High Moderate Low High Moderate Low High Moderate Low SEE: http://oregonstate.edu/dept/budgets/FISManual/FIS140106.htm SEE: http://oregonstate.edu/dept/budgets/FISManual/FIS140106.htm
Terminal Hosted Solution
Yes No
Terminal Hosted Solution
Yes No
265f399f-0bc2-4de6-9b6f-3c5d22110906.doc
Page 12
�Applicability Terminal Hosted Solution
PCI DSS Section 12.6 Implement a formal security awareness program to make all employees aware of the importance of cardholder data security. 12.6.1 Educate employees upon hire and at least annually (for example, by letters, posters, memos, meetings, and promotions) 12.6.2 Require employees to acknowledge in writing that they have read and understood the company’s security policy and procedures.
Risk Assessment Verify the existence of a formal security awareness program for all employees. Obtain and examine security awareness program procedures and documentation and perform the following: Verify that the program provides multiple methods of communicating awareness and educating users (for example, posters, e-mails, letters and formal meetings) Interview several users to verify that they attended awareness training upon hire and at least annually thereafter. Select a sample of users and obtain acknowledgement forms to verify that they have read and agreed to the organization’s security policies and procedures. Contact the Human Resources representative and verify that background checks are conducted on potential employees who will have access to cardholder data (i.e. access to files or reports with full debit/credit card numbers; access to hosted systems that allow users to view, report on, or download full debit/credit card numbers). Background checks may include pre-employment verification of application data, criminal background checks, credit history checks, and reference checks, but do not have to include all of these areas if not allowed by law, labor contract, or organizational policy. Best Practice: while not required for staff that do not have access to cardholder data, it is always advisable to perform some level of background verification on potential employees such as verification of application data and reference checks. Obtain the contract or user agreement between the organization and the 3rd party vendor providing debit/credit card transaction processing services. Verify that the contract/agreement contains provisions requiring the 3rd party vendor to maintain compliance with PCI DSS and acknowledgement that the vendor is responsible for the security of cardholder data in its possession.
Complies? Yes No
Risk Level High Moderate Low
Describe How You Comply OR Document Remediation Plan SEE: http://oregonstate.edu/dept/budgets/FISManual/FIS140106.htm
Terminal Hosted Solution
12.7 Screen potential employees to minimize the risk of attacks from internal sources. For those employees such as store cashiers who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.
Yes No
High Moderate Low
SEE: http://oregonstate.edu/dept/budgets/FISManual/FIS140106.htm
Terminal Hosted Solution
12.8 If cardholder data is shared with service providers, then contractually the following is required: 12.8.1 Service providers must adhere to the PCI DSS requirements 12.8.2 Agreement that includes an acknowledgement that the service provider is responsible for the security of cardholder data the provider possesses.
Yes No
High Moderate Low
265f399f-0bc2-4de6-9b6f-3c5d22110906.doc
Page 13
�Applicability
PCI DSS Section
Risk Assessment Best Practice: in addition, contracts/agreements should address the following: Liability of the vendor in the event of a data breach that can be traced to the actions or inaction of the vendor (i.e. responsibility for payment of fines, penalties, lawsuits and other costs that may be incurred by the organization as a result of the vendor’s breach) Requirement that the vendor must inform the organization within 24 hours if it has knowledge of, or can reasonably expect that, a breach has occurred. Obtain the Incident Response Plan for debit/credit card data breaches and verify that: Staff member roles, responsibilities and communication strategies in the event of a data breach are clearly documented. The plan addresses all likely data breach scenarios (for example: missing/lost terminal, loss of hard copy records or electronic media, compromise of terminal or PC used to access hosted solution, data breach at 3rd party vendor) The plan requires notification to credit card associations, the acquirer bank, the Office of the State Treasurer, and the 3rd party vendor (if they do not already know) The plan addresses strategy for business continuity following the breach The plan references or includes incident response procedures from the card associations The plan addresses any additional notifications or actions that must be taken to comply with legal requirements (i.e. requirements of Senate Bill 583 or requirements stated in a contract/agreement with the vendor) Verify that the plan is tested at least annually by reviewing documentation/notes from the last test conducted. Verify through observation and/or review of policies that
Complies?
Risk Level
Describe How You Comply OR Document Remediation Plan
Terminal Hosted Solution
12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach. 12.9.1 Create the incident response plan to be implemented in the event of system compromise. Ensure the plan addresses, at a minimum, specific incident response procedures, business recovery and continuity procedures, data backup processes, roles and responsibilities, and communication and contact strategies (for example, informing the Acquirers and credit card associations)
Yes No
High Moderate Low
SEE: http://oregonstate.edu/dept/budgets/FISManual/FIS140106.htm
Terminal Hosted Solution Terminal
12.9.2 Test the plan at least annually
Yes No Yes
12.9.4 Provide appropriate training to staff with
High Moderate Low High
SEE: http://oregonstate.edu/dept/budgets/FISManual/FIS140106.htm SEE:
265f399f-0bc2-4de6-9b6f-3c5d22110906.doc
Page 14
�Hosted Solution
security breach response responsibilities
staff with security breach responsibilities receive training at least once a year.
No
Moderate Low
http://oregonstate.edu/dept/budgets/FISManual/FIS140106.htm
265f399f-0bc2-4de6-9b6f-3c5d22110906.doc
Page 15
�Applicability Terminal Hosted Solution
PCI DSS Section 12.9.5 Include alerts from intrusion detection, intrusion prevention, and file integrity monitoring systems
Risk Assessment Interview staff with security breach responsibilities to determine if IT Security staff have a process in place to communicate intrusion detection, intrusion prevention, and file integrity monitoring system alerts with them that could indicate an actual or potential breach of cardholder data. Verify through discussion with relevant staff and/or review of security policies that the incident response plan is reviewed/updated at least annually, and that lessons learned and new industry developments are incorporated into the plan.
Complies? Yes No
Risk Level High Moderate Low
Describe How You Comply OR Document Remediation Plan SEE: http://oregonstate.edu/dept/budgets/FISManual/FIS140106.htm
Terminal Hosted Solution
12.9.6 Develop process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.
Yes No
High Moderate Low
SEE: http://oregonstate.edu/dept/budgets/FISManual/FIS140106.htm
265f399f-0bc2-4de6-9b6f-3c5d22110906.doc
Page 16
�