Docstoc

Applicability

Document Sample
Applicability Powered By Docstoc
					                          Office of the State Treasurer (OST)
                          Payment Card Industry Data Security Standards (PCI DSS) Risk Assessment – Terminals & Hosted Solutions



OST Cash Management Policy 02 18 13.PO “Data Security” requires all state organizations to comply with PCI DSS and states that, “Agency management will annually review financial transaction related data
security.” This form has been designed to assist organizations in conducting a financial transaction related data security review based on PCI DSS. This form can be used by organizations that use terminals to
process point-of-sale and mail/telephone orders. It is also applicable for organizations that use a vendor hosted solution to process point-of-sale, mail/telephone and/or e-commerce transactions. With a hosted
solution, the organization contracts out the processing, transmission, and storage of debit/credit card transactions to a 3rd party. Organization staff typically access the vendor hosted solution through a web browser
to enter point-of-sale and mail/telephone initiated debit/credit card transactions, and e-commerce transactions are processed directly by the hosted solution.

State organizations using a software solution that resides on their network (i.e. the software application is loaded on a network server) cannot use this form for their data security review. These organizations will
need to work directly with OST staff to complete their initial PCI DSS risk assessment.

State Organization Name: OREGON STATE UNIVERSITY
Unit/Section/Division:
Contact Name/Title:
Contact Phone #:
Contact E-mail:

Merchant Account Name(s):
Merchant ID(s) – Visa/MC:
Merchant ID(s) – Discover:

Terminal (USING CARD SWIPE MACHINE)
   Purchased/Leased from US Bank
   Purchased/Leased from a 3rd party vendor
       Make/Model of Terminal:
       Software/Version #:
       Vendor:

Hosted Solution (USING WEB OR ONLINE APPLICATION)
Vendor Name:
Application Name:
Types of Transaction Processed: Point-of-Sale Mail                  Telephone      E-commerce


67d7c72d-f80b-4974-9652-987f4f21d4aa.doc                                                                 Page 1
Purpose of this Risk Assessment Form:
This form has been designed to assist state organizations and OST in evaluating each organization’s level of compliance with PCI DSS. OST does not expect that organizations will be fully compliant with all
requirements listed in this form initially. Each organization’s goal for this process should be to identify areas of non-compliance, prioritize remediation activities based on risk, and complete those activities no
later than June 30 each year.

Definitions and Guidance for Fields within this Form
PCI DSS: Payment Card Industry Data Security Standards
PAN: Primary Account Number

Applicability: this field tells the user if the PCI DSS section and related test are applicable to their environment. Users should complete all sections that are applicable (indicated by a   proceeding the
environment name).

PCI DSS Section: this field contains the PCI DSS sections (version 1.1 of the Standard) that are applicable to agencies and organizations that use terminals or hosted solutions.

Risk Assessment: this field contains procedures designed to assist the user in determining their level of compliance with the related PCI DSS section. Procedures have been developed based on the PCI DSS
Security Audit Procedures (version 1.1) document issued by Visa/MasterCard. This field also contains “best practice” information designed to assist the agency/organization in reducing risk associated with the
processing of debit/credit card transactions. Compliance with “best practice” guidance is not required, but should be considered during your review of business practices and objectives.

Complies?: following completion of the related risk assessment procedure, check the appropriate box to indicate if your organization is in compliance with the requirements of the PCI DSS Section.

Risk Level: If your organization is not in compliance with the requirements of the PCI DSS section, check the appropriate box to indicate the level of risk noncompliance places on your organization. In general,
the following guidance can be used:
     High – the organization has no controls in place to ensure compliance with this requirement. Noncompliance puts the agency/organization at significant risk for a loss of debit/credit card transaction data.
     Moderate – the organization has partially implemented controls/processes needed to ensure compliance with this requirement. The agency/organization is at moderate risk for a loss of debit/credit card
         transaction data.
     Low – the organization has implemented most if not all of the controls/processes needed to ensure compliance with this requirement. Remaining work is minimal, and does not put the organization at risk
         for a loss of debit/credit card transaction data.

Describe How You Comply OR Document Remediation Plan: describe how your organization has achieved compliance with the related PCI DSS section OR describe your plan to achieve compliance,
including the names of staff members who will be responsible for completing the remediation steps, and the estimated completion date.

Deadlines
Remediation plans must allow the organization to achieve compliance with PCI DSS no later than June 30.

June 30– State organizations must submit this form, indicating full compliance with all listed PCI DSS requirements, by June 30.

Questions/Assistance
Please contact OSU Cashier’s Office at 7-2597.
See OSU eCommerce Policy in the FIS Manual at: http://oregonstate.edu/dept/budgets/FISManual/FIS1401-06.htm
67d7c72d-f80b-4974-9652-987f4f21d4aa.doc                                                                  Page 2
Applicability        PCI DSS Section                                                Risk Assessment                                                           Complies?   Risk Level    Describe How You Comply OR Document
                                                                                                                                                                                        Remediation Plan
   Terminal          3.1 Keep cardholder data storage to a minimum.                                                                                             Yes          High
   Hosted Solution                                                                  Best Practice: Do not store full credit card numbers and                    No           Moderate
                      Develop a data retention and disposal policy. Limit           expiration dates. Review business practices and identify all                             Low
                     storage amount and retention time to that which is             opportunities to remove or redact this information from hard
                     required for business, legal, and/or regulatory purposes, as   copy and electronic files maintained by your organization.
                     documented in the data retention policy.
                                                                                    If you must store receipts/forms with the full credit card
                                                                                    number, do not retain these documents for more than 36
                                                                                    months. Receipts with truncated card numbers should be
                                                                                    retained for 6 years (exception: retain receipts for Discover card
                                                                                    purchases for 7 years)

                                                                                    For terminals, most vendors can provide a software update that
                                                                                    will truncate merchant and vendor copies of receipts, as well as
                                                                                    daily reports. Refunds can typically be handled through your
                                                                                    processor’s customer service unit, if the customer is not
                                                                                    available to provide their number.

                                                                                    Most hosted solutions truncate credit card numbers for receipts,
                                                                                    reports, and on-line access. These systems can process a refund
                                                                                    without re-inputting the card number.

                                                                                    P.S. Do not image documents with full debit/credit card
                                                                                    numbers. Redact or remove this information prior to imaging,
                                                                                    as storing this information electronically can expose your
                                                                                    organization to additional PCI DSS compliance requirements.
                                                                                    -----------------------------------------------------------------------
                                                                                    Review policies/procedures addressing data retention and
                                                                                    disposal. Verify that this guidance includes, at a minimum:
                                                                                          Statutory, contractual and business requirements for
                                                                                               retention of cardholder data
                                                                                          Provisions for the disposal of cardholder data when no
                                                                                               longer needed
                                                                                          Provisions for the storage of cardholder data in all
                                                                                               formats used by the organization (hard copy, electronic
                                                                                               files, database, etc).
                                                                                          A programmatic process for the removal, at least on a
                                                                                               quarterly basis, of stored cardholder data that has
                                                                                               reached its retention date.


67d7c72d-f80b-4974-9652-987f4f21d4aa.doc                                                                           Page 3
67d7c72d-f80b-4974-9652-987f4f21d4aa.doc   Page 4
Applicability        PCI DSS Section                                                 Risk Assessment                                                      Complies?   Risk Level    Describe How You Comply OR Document
                                                                                                                                                                                    Remediation Plan
   Terminal          3.2 Do not store sensitive authentication data subsequent       Terminals: verify that the software running on your terminal(s)        Yes          High
   Hosted Solution   to authorization (even if encrypted).                           does not store the full contents of any track from the magnetic        No           Moderate
                     Sensitive authentication data includes the data as cited in     stripe, the card-validation code or value used to verify card-not-                  Low
                     the following Requirements 3.2.1 through 3.2.3:                 present transactions, or the personal identification number
                                                                                     (PIN) or the encrypted PIN block. Recommended Action:
                          3.2.1 Do not store the full contents of any track from     contact your terminal provider and request that they verify this
                               the magnetic stripe (that is on the back of a card,   to you in writing.
                               in a chip or elsewhere). This data is alternatively
                               called full track, track, track 1, track 2, and       Hosted Solutions: Hosted solutions that are PCI DSS
                               magnetic stripe data                                  compliant do not store sensitive authentication data subsequent
                          3.2.2 Do not store the card-validation code or value       to authorization. Recommended Action: verify that your service
                               (three-digit or four-digit number printed on the      provider is PCI DSS compliant by reviewing Visa’s list of
                               front or back of a payment card) used to verify       compliant service providers or request proof of compliance
                               card-not-present transactions                         from the service provider in writing.
                          3.2.3 Do not store the personal identification number
                               (PIN) or the encrypted PIN block.
   Terminal          3.3 Mask PAN (account number) when displayed (the               Terminals: verify that, at a minimum, credit card numbers are          Yes          High
   Hosted Solution   first six and last four digits are the maximum number of        truncated on customer receipts and documentation.                      No           Moderate
                     digits to be displayed).                                                                                                                            Low
                     Note: This requirement does not apply to employees and          Hosted Solutions: verify that, at a minimum, credit card
                     other parties with a specific need to see the full PAN; nor     numbers are truncated on customer receipts/documentation.
                     does the requirement supersede stricter requirements in         Review screens and reports available to staff through the hosted
                     place for displays of cardholder data (for example, for         solution to verify that credit card numbers are masked.
                     point of sale [POS] receipts).
   Terminal          4.1 Use strong cryptography and security protocols such         Terminals: if your terminal uses a dedicated landline, this is         Yes          High
   Hosted Solution   as secure sockets layer (SSL) / transport layer security        not an issue. However, if your organization is using Voice Over        No           Moderate
                     (TLS) and Internet protocol security (IPSEC) to safeguard       IP (VOIP) for communication verify that all transmissions are          N/A          Low
                     sensitive cardholder data during transmission over open,        encrypted (review system documentation/ manuals and confirm
                     public networks. Examples of open, public networks that         with your vendor that processing software is set to encrypt
                     are in scope of the PCI DSS are the Internet, WiFi (IEEE        transmissions).
                     802.11x), global system for mobile communications
                     (GSM), and general packet radio service (GPRS).                 Hosted Solution: verify through review of system
                                                                                     documentation/manuals and confirmation with your vendor that
                                                                                     all sessions are encrypted. Review screens available to staff to
                                                                                     determine if encryption is active (click on small yellow padlock
                                                                                     in the lower right corner of the screen to verify).

                                                                                     Best Practice: Use a vendor that has certified PCI DSS
                                                                                     compliance for their software or hosted solution. A list of
                                                                                     certified software solutions can be found at Validated Payment

67d7c72d-f80b-4974-9652-987f4f21d4aa.doc                                                                          Page 5
                                                                                  Applications. Compliant service providers are listed at Visa
                                                                                  Compliant Service Providers.
Applicability        PCI DSS Section                                              Risk Assessment                                                       Complies?   Risk Level    Describe How You Comply OR Document
                                                                                                                                                                                  Remediation Plan
   Terminal          4.1.1 For wireless networks transmitting cardholder data,    Terminals: this is only applicable if you use a wireless                Yes          High
   Hosted Solution   encrypt the transmissions by using WiFi protected access     terminal, or if your terminal has this capability. If your terminal     No           Moderate
                     (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS.             uses wireless communication or can use this option, verify that         N/A          Low
                     Never rely exclusively on wired equivalent privacy           all transmissions are encrypted or that this option is disabled for
                     (WEP) to protect confidentiality and access to a wireless    your terminal (review system documentation/ manuals and
                     LAN. If WEP is used, do the following:                       confirm with your vendor that processing software is set to
                                                                                  encrypt transmissions or option is disabled).
                     • Use with a minimum 104-bit encryption key and 24 bit-
                       initialization value                                       Hosted Solutions: this is only applicable if you use a wireless
                     • Use ONLY in conjunction with WiFi protected access         network to access the hosted solution, or could use your
                       (WPA or WPA2) technology, VPN, or SSL/TLS                  network’s wireless functionality to do so. Verify through
                     • Rotate shared WEP keys quarterly (or automatically if      discussion with your Information Systems group that your
                       the technology permits)                                    wireless network meets the encryption requirements of 4.1.1 or
                     • Rotate shared WEP keys whenever there are changes in       verify through review of internal policies/procedures that access
                       personnel with access to keys                              via wireless is strictly prohibited.
                     • Restrict access based on media access code (MAC)
                       address.
   Terminal          4.2 Never send unencrypted PANs by e-mail.                   Review policies/procedures addressing the use of e-mail.                Yes          High
   Hosted Solution                                                                Ensure that the transmission of debit/credit card numbers via e-        No           Moderate
                                                                                  mail is specifically prohibited unless the sender has the ability                    Low
                                                                                  to encrypt e-mail. If e-mail encryption is available, ensure that
                                                                                  the policy/procedure requires staff to encrypt all e-mail
                                                                                  containing debit/credit card numbers. Talk with staff members
                                                                                  responsible for debit/credit card transaction processing to
                                                                                  ensure that they are aware of this requirement.
   Terminal          5.1 Deploy anti-virus software on all systems commonly       Hosted Solutions: talk with your Information Technology                 Yes          High
   Hosted Solution   affected by viruses (particularly personal computers and     group to verify that personal computers and servers used to             No           Moderate
                     servers) Note: Systems commonly affected by viruses          access the hosted solution have anti-virus programs installed                        Low
                     typically do not include UNIX-based operating systems or     that are capable of detecting, removing, and protecting against
                     mainframes.                                                  viruses and other forms of malicious software, including
                                                                                  spyware and adware.
                         5.1.1 Ensure that anti-virus programs are capable of
                              detecting, removing, and protecting against other
                              forms of malicious software, including spyware
                              and adware.
   Terminal          5.2 Ensure that all anti-virus mechanisms are current,       Hosted Solutions: talk with your Information Technology                 Yes          High
   Hosted Solution   actively running, and capable of generating audit logs.      group to verify that anti-virus programs cannot be modified or          No           Moderate
                                                                                  turned off by non-IT staff members, and that they are set to                         Low
                                                                                  update automatically (or, at a minimum, at least once every 24

67d7c72d-f80b-4974-9652-987f4f21d4aa.doc                                                                        Page 6
                                                                                   hours). Review several machines used to access the hosted
                                                                                   solution and verify that anti-virus software is current, actively
                                                                                   running and capable of generating audit logs.
Applicability        PCI DSS Section                                               Risk Assessment                                                      Complies?   Risk Level    Describe How You Comply OR Document
                                                                                                                                                                                  Remediation Plan
   Terminal          7.1 Limit access to computing resources and cardholder        Hosted Solutions: Verify that written policies/procedures              Yes          High
   Hosted Solution   information only to those individuals whose job requires      addressing debit/credit card processing and access control exist,      No           Moderate
                     such access.                                                  and incorporate the following:                                                      Low
                                                                                         Staff access rights must be limited to the least
                                                                                             privileges necessary to perform their assigned job
                                                                                             functions.
                                                                                         Assignment of privileges is based on the staff
                                                                                             member’s job classification and function
                                                                                         An authorization form signed by the staff member’s
                                                                                             manager that specifies required privileges (or a process
                                                                                             that is equivalent and documented in writing) is
                                                                                             required for access.
                                                                                         A requirement that any solution used must include an
                                                                                             automated access control system that supports access
                                                                                             levels based on job function.
   Terminal          7.2 Establish a mechanism for systems with multiple users     Hosted Solutions: Examine system settings and vendor                   Yes          High
   Hosted Solution   that restricts access based on a user’s need to know and is   documentation to verify that an access control system is               No           Moderate
                     set to “deny all” unless specifically allowed.                implemented and that is includes the following:                                     Low
                                                                                         Coverage of all system components (for example,
                                                                                             transaction entry screens, reporting, and system
                                                                                             administration)
                                                                                         Assignment of privileges to individuals based on job
                                                                                             classification and function
                                                                                         Default “deny-all” setting (some access control
                                                                                             systems are set by default to “allow-all” thereby
                                                                                             permitting access unless/until a rule is written to
                                                                                             specifically deny it)
   Terminal          8.1 Identify all users with a unique user name before         Hosted Solution: Obtain a current listing of all user IDs and          Yes          High
   Hosted Solution   allowing them to access system components or cardholder       verify that all users have a unique username for access to             No           Moderate
                     data.                                                         system components or cardholder data.                                               Low
   Terminal          8.2 In addition to assigning a unique ID, employ at least     Hosted Solution: Obtain and examine system documentation               Yes          High
   Hosted Solution   one of the following methods to authenticate all users:       and written policies/procedures describing the authentication          No           Moderate
                                                                                   method used to obtain access to the hosted solution. For each                       Low
                        • Password                                                 level of access (i.e. transaction processing, refunding,
                        • Token devices (e.g., SecureID, certificates, or public   administration) observe a staff member signing on to the hosted
                           key)                                                    solution to verify that authentication is functioning consistent
                        • Biometrics.                                              with documented processes (for example, verify that each user
                                                                                   must enter their user ID and password to gain access to the

67d7c72d-f80b-4974-9652-987f4f21d4aa.doc                                                                         Page 7
                                           system).




67d7c72d-f80b-4974-9652-987f4f21d4aa.doc              Page 8
Applicability        PCI DSS Section                                               Risk Assessment                                                      Complies?   Risk Level    Describe How You Comply OR Document
                                                                                                                                                                                  Remediation Plan
   Terminal          8.5 Ensure proper user authentication and password            Hosted Solutions: Review written policies/procedures and               Yes          High
   Hosted Solution   management for non-consumer users and administrators          interview personnel to verify that procedures are implemented          No           Moderate
                     on all system components as follows:                          for user authentication and password management. Perform the                        Low
                                                                                   following tests as part of this process:
                        8.5.1 Control addition, deletion, and modification of      Select a sample of user IDs, including both administrators and         Yes          High
                             user IDs, credentials, and other identifier objects   general users. Verify that each user is authorized to use the          No           Moderate
                                                                                   system (examine the signed authorization form and compare to                        Low
                                                                                   system access settings)
                        8.5.2 Verify user identity before performing password      Examine password procedures and observe security personnel             Yes          High
                             resets                                                to verify that, if a user requests a password reset by phone, e-       No           Moderate
                                                                                   mail, web, or other non-face-to-face method, the user’s identity                    Low
                                                                                   is verified before the password is reset.
                        8.5.3 Set first-time passwords to a unique value for       Examine password procedures and observe security personnel             Yes          High
                             each user and change immediately after the first      to verify that first-time passwords for new users are set to a         No           Moderate
                             use                                                   unique value for each user and changed after first use.                             Low
                        8.5.4 Immediately revoke access for any terminated         Select a sample of employees terminated in the past six months         Yes          High
                             users                                                 and review current user access lists to verify that their IDs were     No           Moderate
                                                                                   inactivated or removed within 24 hours of termination.                              Low
                        8.5.5 Remove inactive user accounts at least every 90      Review a current listing of user IDs and verify that there are no      Yes          High
                             days                                                  inactive accounts over 90 days old.                                    No           Moderate
                                                                                                                                                                       Low
                        8.5.7 Communicate password procedures and policies         Interview several staff members to verify that they are familiar       Yes          High
                             to all users who have access to cardholder data       with password procedures and policies.                                 No           Moderate
                                                                                                                                                                       Low
                        8.5.8 Do not use group, shared, or generic accounts        Examine access policies/procedures to verify that group and            Yes          High
                             and passwords                                         shared IDs/passwords are explicitly prohibited. Interview              No           Moderate
                                                                                   system administrators to verify that group and shared                               Low
                                                                                   IDs/passwords are not distributed, even if requested by
                                                                                   management.
                        8.5.9 Change user passwords at least every 90 days         Review user documentation provided by the vendor to verify             Yes          High
                                                                                   that user passwords are required to change at least every 90           No           Moderate
                                                                                   days, and that users are given guidance as to when, and under                       Low
                                                                                   what circumstances, passwords must change.
                        8.5.10 Require a minimum password length of at least       Review user documentation provided by the vendor to verify             Yes          High
                             seven characters                                      that user passwords are required to meet minimum length                No           Moderate
                                                                                   requirements (at least seven characters).                                           Low
                        8.5.11 Use passwords containing both numeric and           Review user documentation provided by the vendor to verify             Yes          High
                             alphabetic characters                                 that user passwords are required to contain both numeric and           No           Moderate
                                                                                   alphabetic characters.                                                              Low


67d7c72d-f80b-4974-9652-987f4f21d4aa.doc                                                                        Page 9
Applicability        PCI DSS Section                                               Risk Assessment                                                      Complies?   Risk Level    Describe How You Comply OR Document
                                                                                                                                                                                  Remediation Plan
                        8.5.12 Do not allow an individual to submit a new          Review user documentation provided by the vendor to verify             Yes          High
                             password that is the same as any of the last four     that new user passwords cannot be the same as the previous             No           Moderate
                             passwords he or she has used                          four passwords.                                                                     Low
                        8.5.13 Limit repeated access attempts by locking out       Review user documentation provided by the vendor to verify             Yes          High
                             the user ID after not more than six attempts          that user accounts are temporarily locked-out after no more than       No           Moderate
                                                                                   six invalid access attempts.                                                        Low
                        8.5.14 Set the lockout duration to thirty minutes or       Review user documentation provided by the vendor to verify             Yes          High
                             until administrator enables the user ID               that once a user is locked out, they remain locked out for at          No           Moderate
                                                                                   least 30 minutes or until an administrator resets their account.                    Low
                         8.5.15 If a session has been idle for more than 15        Review user documentation provided by the vendor to verify             Yes          High
                              minutes, require the user to re-enter the password   that system/session idle time out features have been set to 15         No           Moderate
                              to re-activate the terminal                          minutes or less.                                                                    Low
   Terminal          9.6 Physically secure all paper and electronic media          Terminals: ensure that terminals are physically secured when           Yes          High
   Hosted Solution   (including computers, electronic media, networking and        not in use. Ensure that all staff members are trained on terminal      No           Moderate
                     communications hardware, telecommunication lines,             use, and how to identify signs of tampering. Verify that paper                      Low
                     paper receipts, paper reports, and faxes) that contain        and electronic media containing full debit/credit card numbers
                     cardholder data.                                              is stored in a secure location (locked filing cabinet or office,
                                                                                   secure filing room).

                                                                                   Hosted Solution: Ensure that PCs used to process debit/credit
                                                                                   card transactions are not accessible to the public, and that staff
                                                                                   are required to log off or initiate a password-protected screen
                                                                                   saver when leaving the PC’s physical location. Ensure that all
                                                                                   staff members are trained on how to identify signs of tampering
                                                                                   (i.e. new hardware devices “attached” to the PC). Ensure that
                                                                                   receipts, documents and reports generated by the hosted
                                                                                   solution do not contain full debit/credit card numbers. Verify
                                                                                   that paper and electronic media containing full debit/credit card
                                                                                   numbers is stored in a secure location (locked filing cabinet or
                                                                                   office, secure filing room). Do not store electronic files
                                                                                   (spreadsheets, imaged documents, word processing documents,
                                                                                   etc) with full debit/credit card numbers on your network or PC
                                                                                   hard drive unless they are secured through access control and
                                                                                   encryption.

                                                                                   Note: keys and other “access” devices such as key cards must
                                                                                   also be secured. If all staff know their location, or can readily
                                                                                   obtain them, this requirement is not met.



67d7c72d-f80b-4974-9652-987f4f21d4aa.doc                                                                        Page 10
Applicability        PCI DSS Section                                              Risk Assessment                                                        Complies?   Risk Level    Describe How You Comply OR Document
                                                                                                                                                                                   Remediation Plan
                                                                                  Best Practice: limit storage of full debit/credit card numbers to
                                                                                  what is absolutely necessary to conduct business. Do not store
                                                                                  full debit/credit card numbers in any format (database, word or
                                                                                  spreadsheet documents, imaged documents, etc) on your
                                                                                  network or PC hard drive. Identify business processes that
                                                                                  currently require the retention of this information, and work
                                                                                  with internal support staff, your vendor and the Office of the
                                                                                  State Treasurer to identify options to reduce or eliminate
                                                                                  storage.
   Terminal          9.7 Maintain strict control over the internal or external    Review debit/credit card processing policies/procedures to               Yes          High
   Hosted Solution   distribution of any kind of media that contains cardholder   verify that procedures exist to control distribution of media            No           Moderate
                     data including the following:                                (hard copy and electronic) containing cardholder data.                                Low

                        9.7.1 Classify the media so it can be identified as       Select a sample of debit/credit card transactions and verify that
                             confidential                                         supporting documents that include full debit/credit card
                        9.7.2 Send the media by secured courier or other          numbers are identified as “confidential” and stored securely.
                             delivery method that can be accurately tracked.
                                                                                  If media is sent off site, ensure that a log is kept of all off site
                                                                                  media, and media is transported by secured courier or another
                                                                                  delivery method that can be accurately tracked.
   Terminal          9.9 Maintain strict control over the storage and             Review policies/procedures addressing the maintenance and                Yes          High
   Hosted Solution   accessibility of media that contains cardholder data.        storage of hardcopy and electronic media containing cardholder           No           Moderate
                                                                                  data and verify that periodic media inventories are required.                         Low
                        9.9.1 Properly inventory all media and make sure it is    Obtain and review documentation of the last inventory
                             securely stored.                                     conducted, and review inventory processes to verify that media
                                                                                  was securely stored at the time the inventory was conducted.
   Terminal          9.10 Destroy media containing cardholder data when it is     Review policies/procedures addressing the destruction of media           Yes          High
   Hosted Solution   no longer needed for business or legal reasons as follows:   containing cardholder data. Confirm the following:                       No           Moderate
                                                                                        All hard copy materials must be cross-cut shredded,                            Low
                        9.10.1 Cross-cut shred, incinerate, or pulp hardcopy               incinerated, or pulped.
                            materials                                                   Storage containers used for media to be destroyed are
                        9.10.2 Purge, degauss, shred, or otherwise destroy                 secure (containers are locked; individuals cannot reach
                            electronic media so that cardholder data cannot be             through opening and pull out documents)
                            reconstructed.                                              All electronic media (backup tapes, CDs, thumb
                                                                                           drives) is destroyed beyond recovery by using a
                                                                                           military wipe program to delete files, or via degaussing
                                                                                           or otherwise physically destroying the media.




67d7c72d-f80b-4974-9652-987f4f21d4aa.doc                                                                       Page 11
Applicability        PCI DSS Section                                            Risk Assessment                                                   Complies?   Risk Level    Describe How You Comply OR Document
                                                                                                                                                                            Remediation Plan
   Terminal          12.1 Establish, publish, maintain, and disseminate a       Obtain and examine the organization’s security policy               Yes          High
   Hosted Solution   security policy that accomplishes the following:           addressing debit/credit card transaction. Ensure that this          No           Moderate   SEE:
                                                                                policy:                                                                          Low        http://oregonstate.edu/dept/budgets/FISManual/FIS1401-
                          12.1.1 Addresses all requirements in this                   Requires the organization and all relevant staff                                     06.htm
                              specification                                              members to maintain compliance with PCI DSS.
                          12.1.2 Includes an annual process that identifies           Requires the organization to complete an annual risk
                              threats and vulnerabilities, and results in a              assessment addressing debit/credit card activity.
                              formal risk assessment                                  Requires staff to review the policy at least once a
                          12.1.3 Includes a review at least once a year and              year and whenever the card processing environment
                              updates when the environment changes.                      or business objectives changes.
   Terminal          12.2 Develop daily operational security procedures that    Obtain and review daily operating procedures for debit/credit       Yes          High
   Hosted Solution   are consistent with requirements in this specification     card transaction processing. Verify that procedures are             No           Moderate
                     (for example, user account maintenance procedures,         consistent with PCI DSS requirements, and include guidance                       Low
                     and log review procedures).                                for both administrators and regular users.
   Terminal          12.4 Ensure that the security policy and procedures        Verify that debit/credit card security policies/procedures          Yes          High       SEE:
   Hosted Solution   clearly define information security responsibilities for   clearly define information security responsibilities for            No           Moderate   http://oregonstate.edu/dept/budgets/FISManual/FIS1401-
                     all employees and contractors                              employees and any 3rd party contractors hired to process                         Low        06.htm
                                                                                debit/credit card transactions on behalf of the organization.
   Terminal          12.5 Assign to an individual or team the following         Verify that the organization has formally assigned (i.e. within     Yes          High       SEE:
   Hosted Solution   information security management responsibilities:          written policies or position descriptions) responsibility for       No           Moderate   http://oregonstate.edu/dept/budgets/FISManual/FIS1401-
                                                                                debit/credit card transaction security to one or more members                    Low        06.htm
                        12.5.1 Establish, document, and distribute security     of management. Formally assigned duties must include:
                            policies and procedures                                   The development and distribution of security
                        12.5.2 Monitor and analyze security alerts and                   policies and procedures related to debit/credit card
                            information, and distribute to appropriate                   transactions.
                            personnel                                                 The monitoring and analysis of security alerts and
                        12.5.3 Establish, document, and distribute security              information, including the distribution of this
                            incident response and escalation procedures to               information to IT and business managers & staff.
                            ensure timely and effective handling of all               The development, distribution and formal testing of
                            situations                                                   incident response and escalation procedures in the
                        12.5.4 Administer user accounts, including                       event of a debit/credit card data breach
                            additions, deletions, and modifications                   Administration of user accounts, including user
                        12.5.5 Monitor and control all access to data.                   authentication, additions, deletions and
                                                                                         modifications of user access.
                                                                                      Responsibility for monitoring and controlling all
                                                                                         access to data.




67d7c72d-f80b-4974-9652-987f4f21d4aa.doc                                                                       Page 12
Applicability        PCI DSS Section                                             Risk Assessment                                                    Complies?   Risk Level    Describe How You Comply OR Document
                                                                                                                                                                              Remediation Plan
   Terminal          12.6 Implement a formal security awareness program to       Verify the existence of a formal security awareness program          Yes          High       SEE:
   Hosted Solution   make all employees aware of the importance of               for all employees. Obtain and examine security awareness             No           Moderate   http://oregonstate.edu/dept/budgets/FISManual/FIS1401-
                     cardholder data security.                                   program procedures and documentation and perform the                              Low        06.htm
                                                                                 following:
                        12.6.1 Educate employees upon hire and at least                Verify that the program provides multiple methods
                            annually (for example, by letters, posters,                    of communicating awareness and educating users
                            memos, meetings, and promotions)                               (for example, posters, e-mails, letters and formal
                        12.6.2 Require employees to acknowledge in                         meetings)
                            writing that they have read and understood the             Interview several users to verify that they attended
                            company’s security policy and procedures.                      awareness training upon hire and at least annually
                                                                                           thereafter.
                                                                                       Select a sample of users and obtain
                                                                                           acknowledgement forms to verify that they have
                                                                                           read and agreed to the organization’s security
                                                                                           policies and procedures.
   Terminal          12.7 Screen potential employees to minimize the risk of     Contact the Human Resources representative and verify that           Yes          High       SEE:
   Hosted Solution   attacks from internal sources.                              background checks are conducted on potential employees               No           Moderate   http://oregonstate.edu/dept/budgets/FISManual/FIS1401-
                     For those employees such as store cashiers who only         who will have access to cardholder data (i.e. access to files or                  Low        06.htm
                     have access to one card number at a time when               reports with full debit/credit card numbers; access to hosted
                     facilitating a transaction, this requirement is a           systems that allow users to view, report on, or download full
                     recommendation only.                                        debit/credit card numbers). Background checks may include
                                                                                 pre-employment verification of application data, criminal
                                                                                 background checks, credit history checks, and reference
                                                                                 checks, but do not have to include all of these areas if not
                                                                                 allowed by law, labor contract, or organizational policy.
                                                                                 Best Practice: while not required for staff that do not have
                                                                                 access to cardholder data, it is always advisable to perform
                                                                                 some level of background verification on potential employees
                                                                                 such as verification of application data and reference checks.
   Terminal          12.8 If cardholder data is shared with service providers,   Obtain the contract or user agreement between the                    Yes          High
   Hosted Solution             then contractually the following is required:     organization and the 3rd party vendor providing debit/credit         No           Moderate
                                                                                 card transaction processing services. Verify that the                             Low
                        12.8.1 Service providers must adhere to the PCI          contract/agreement contains provisions requiring the 3rd party
                            DSS requirements                                     vendor to maintain compliance with PCI DSS and
                        12.8.2 Agreement that includes an                        acknowledgement that the vendor is responsible for the
                            acknowledgement that the service provider is         security of cardholder data in its possession.
                            responsible for the security of cardholder data
                            the provider possesses.



67d7c72d-f80b-4974-9652-987f4f21d4aa.doc                                                                        Page 13
Applicability        PCI DSS Section                                         Risk Assessment                                                  Complies?   Risk Level    Describe How You Comply OR Document
                                                                                                                                                                        Remediation Plan
                                                                             Best Practice: in addition, contracts/agreements should
                                                                             address the following:
                                                                                   Liability of the vendor in the event of a data breach
                                                                                       that can be traced to the actions or inaction of the
                                                                                       vendor (i.e. responsibility for payment of fines,
                                                                                       penalties, lawsuits and other costs that may be
                                                                                       incurred by the organization as a result of the
                                                                                       vendor’s breach)
                                                                                   Requirement that the vendor must inform the
                                                                                       organization within 24 hours if it has knowledge of,
                                                                                       or can reasonably expect that, a breach has
                                                                                       occurred.
   Terminal          12.9 Implement an incident response plan. Be prepared   Obtain the Incident Response Plan for debit/credit card data       Yes          High       SEE:
   Hosted Solution   to respond immediately to a system breach.              breaches and verify that:                                          No           Moderate   http://oregonstate.edu/dept/budgets/FISManual/FIS1401-
                                                                                  Staff member roles, responsibilities and                                  Low        06.htm
                        12.9.1 Create the incident response plan to be                communication strategies in the event of a data
                            implemented in the event of system                        breach are clearly documented.
                            compromise. Ensure the plan addresses, at a           The plan addresses all likely data breach scenarios
                            minimum, specific incident response                       (for example: missing/lost terminal, loss of hard
                            procedures, business recovery and continuity              copy records or electronic media, compromise of
                            procedures, data backup processes, roles and              terminal or PC used to access hosted solution, data
                            responsibilities, and communication and                   breach at 3rd party vendor)
                            contact strategies (for example, informing the        The plan requires notification to credit card
                            Acquirers and credit card associations)                   associations, the acquirer bank, the Office of the
                                                                                      State Treasurer, and the 3rd party vendor (if they do
                                                                                      not already know)
                                                                                  The plan addresses strategy for business continuity
                                                                                      following the breach
                                                                                  The plan references or includes incident response
                                                                                      procedures from the card associations
                                                                                  The plan addresses any additional notifications or
                                                                                      actions that must be taken to comply with legal
                                                                                      requirements (i.e. requirements of Senate Bill 583 or
                                                                                      requirements stated in a contract/agreement with the
                                                                                      vendor)
   Terminal             12.9.2 Test the plan at least annually               Verify that the plan is tested at least annually by reviewing      Yes          High       SEE:
   Hosted Solution                                                           documentation/notes from the last test conducted.                  No           Moderate   http://oregonstate.edu/dept/budgets/FISManual/FIS1401-
                                                                                                                                                             Low        06.htm
   Terminal             12.9.4 Provide appropriate training to staff with    Verify through observation and/or review of policies that          Yes          High       SEE:


67d7c72d-f80b-4974-9652-987f4f21d4aa.doc                                                                   Page 14
  Hosted Solution       security breach response responsibilities   staff with security breach responsibilities receive training at   No   Moderate   http://oregonstate.edu/dept/budgets/FISManual/FIS1401-
                                                                    least once a year.                                                     Low        06.htm




67d7c72d-f80b-4974-9652-987f4f21d4aa.doc                                                            Page 15
Applicability        PCI DSS Section                                      Risk Assessment                                                Complies?   Risk Level    Describe How You Comply OR Document
                                                                                                                                                                   Remediation Plan
   Terminal             12.9.5 Include alerts from intrusion detection,   Interview staff with security breach responsibilities to         Yes          High       SEE:
   Hosted Solution          intrusion prevention, and file integrity      determine if IT Security staff have a process in place to        No           Moderate   http://oregonstate.edu/dept/budgets/FISManual/FIS1401-
                            monitoring systems                            communicate intrusion detection, intrusion prevention, and                    Low        06.htm
                                                                          file integrity monitoring system alerts with them that could
                                                                          indicate an actual or potential breach of cardholder data.
   Terminal             12.9.6 Develop process to modify and evolve the   Verify through discussion with relevant staff and/or review      Yes          High       SEE:
   Hosted Solution          incident response plan according to lessons   of security policies that the incident response plan is          No           Moderate   http://oregonstate.edu/dept/budgets/FISManual/FIS1401-
                            learned and to incorporate industry           reviewed/updated at least annually, and that lessons learned                  Low        06.htm
                            developments.                                 and new industry developments are incorporated into the
                                                                          plan.




67d7c72d-f80b-4974-9652-987f4f21d4aa.doc                                                                Page 16

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:7/23/2011
language:English
pages:16