Get documents about "Applicability
Document Sample
Office of the State Treasurer (OST)
Payment Card Industry Data Security Standards (PCI DSS) Risk Assessment – Terminals & Hosted Solutions
OST Cash Management Policy 02 18 13.PO “Data Security” requires all state organizations to comply with PCI DSS and states that, “Agency management will annually review financial transaction related data
security.” This form has been designed to assist organizations in conducting a financial transaction related data security review based on PCI DSS. This form can be used by organizations that use terminals to
process point-of-sale and mail/telephone orders. It is also applicable for organizations that use a vendor hosted solution to process point-of-sale, mail/telephone and/or e-commerce transactions. With a hosted
solution, the organization contracts out the processing, transmission, and storage of debit/credit card transactions to a 3rd party. Organization staff typically access the vendor hosted solution through a web browser
to enter point-of-sale and mail/telephone initiated debit/credit card transactions, and e-commerce transactions are processed directly by the hosted solution.
State organizations using a software solution that resides on their network (i.e. the software application is loaded on a network server) cannot use this form for their data security review. These organizations will
need to work directly with OST staff to complete their initial PCI DSS risk assessment.
State Organization Name: OREGON STATE UNIVERSITY
Unit/Section/Division:
Contact Name/Title:
Contact Phone #:
Contact E-mail:
Merchant Account Name(s):
Merchant ID(s) – Visa/MC:
Merchant ID(s) – Discover:
Terminal (USING CARD SWIPE MACHINE)
Purchased/Leased from US Bank
Purchased/Leased from a 3rd party vendor
Make/Model of Terminal:
Software/Version #:
Vendor:
Hosted Solution (USING WEB OR ONLINE APPLICATION)
Vendor Name:
Application Name:
Types of Transaction Processed: Point-of-Sale Mail Telephone E-commerce
465b035c-f2d2-4d27-ac5a-cc086384d55f.doc Page 1
Purpose of this Risk Assessment Form:
This form has been designed to assist state organizations and OST in evaluating each organization’s level of compliance with PCI DSS. OST does not expect that organizations will be fully compliant with all
requirements listed in this form initially. Each organization’s goal for this process should be to identify areas of non-compliance, prioritize remediation activities based on risk, and complete those activities no
later than June 30 each year.
Definitions and Guidance for Fields within this Form
PCI DSS: Payment Card Industry Data Security Standards
PAN: Primary Account Number
Applicability: this field tells the user if the PCI DSS section and related test are applicable to their environment. Users should complete all sections that are applicable (indicated by a proceeding the
environment name).
PCI DSS Section: this field contains the PCI DSS sections (version 1.1 of the Standard) that are applicable to agencies and organizations that use terminals or hosted solutions.
Risk Assessment: this field contains procedures designed to assist the user in determining their level of compliance with the related PCI DSS section. Procedures have been developed based on the PCI DSS
Security Audit Procedures (version 1.1) document issued by Visa/MasterCard. This field also contains “best practice” information designed to assist the agency/organization in reducing risk associated with the
processing of debit/credit card transactions. Compliance with “best practice” guidance is not required, but should be considered during your review of business practices and objectives.
Complies?: following completion of the related risk assessment procedure, check the appropriate box to indicate if your organization is in compliance with the requirements of the PCI DSS Section.
Risk Level: If your organization is not in compliance with the requirements of the PCI DSS section, check the appropriate box to indicate the level of risk noncompliance places on your organization. In general,
the following guidance can be used:
High – the organization has no controls in place to ensure compliance with this requirement. Noncompliance puts the agency/organization at significant risk for a loss of debit/credit card transaction data.
Moderate – the organization has partially implemented controls/processes needed to ensure compliance with this requirement. The agency/organization is at moderate risk for a loss of debit/credit card
transaction data.
Low – the organization has implemented most if not all of the controls/processes needed to ensure compliance with this requirement. Remaining work is minimal, and does not put the organization at risk
for a loss of debit/credit card transaction data.
Describe How You Comply OR Document Remediation Plan: describe how your organization has achieved compliance with the related PCI DSS section OR describe your plan to achieve compliance,
including the names of staff members who will be responsible for completing the remediation steps, and the estimated completion date.
Deadlines
Remediation plans must allow the organization to achieve compliance with PCI DSS no later than June 30.
June 30– State organizations must submit this form, indicating full compliance with all listed PCI DSS requirements, by June 30.
Questions/Assistance
Please contact OSU Cashier’s Office at 7-2597.
See OSU eCommerce Policy in the FIS Manual at: http://oregonstate.edu/dept/budgets/FISManual/FIS1401-06.htm
465b035c-f2d2-4d27-ac5a-cc086384d55f.doc Page 2
Applicability PCI DSS Section Risk Assessment Complies? Risk Level Describe How You Comply OR Document
Remediation Plan
Terminal 3.1 Keep cardholder data storage to a minimum. Yes High
Hosted Solution Best Practice: Do not store full credit card numbers and No Moderate
Develop a data retention and disposal policy. Limit expiration dates. Review business practices and identify all Low
storage amount and retention time to that which is opportunities to remove or redact this information from hard
required for business, legal, and/or regulatory purposes, as copy and electronic files maintained by your organization.
documented in the data retention policy.
If you must store receipts/forms with the full credit card
number, do not retain these documents for more than 36
months. Receipts with truncated card numbers should be
retained for 6 years (exception: retain receipts for Discover card
purchases for 7 years)
For terminals, most vendors can provide a software update that
will truncate merchant and vendor copies of receipts, as well as
daily reports. Refunds can typically be handled through your
processor’s customer service unit, if the customer is not
available to provide their number.
Most hosted solutions truncate credit card numbers for receipts,
reports, and on-line access. These systems can process a refund
without re-inputting the card number.
P.S. Do not image documents with full debit/credit card
numbers. Redact or remove this information prior to imaging,
as storing this information electronically can expose your
organization to additional PCI DSS compliance requirements.
-----------------------------------------------------------------------
Review policies/procedures addressing data retention and
disposal. Verify that this guidance includes, at a minimum:
Statutory, contractual and business requirements for
retention of cardholder data
Provisions for the disposal of cardholder data when no
longer needed
Provisions for the storage of cardholder data in all
formats used by the organization (hard copy, electronic
files, database, etc).
A programmatic process for the removal, at least on a
quarterly basis, of stored cardholder data that has
reached its retention date.
465b035c-f2d2-4d27-ac5a-cc086384d55f.doc Page 3
465b035c-f2d2-4d27-ac5a-cc086384d55f.doc Page 4
Applicability PCI DSS Section Risk Assessment Complies? Risk Level Describe How You Comply OR Document
Remediation Plan
Terminal 3.2 Do not store sensitive authentication data subsequent Terminals: verify that the software running on your terminal(s) Yes High
Hosted Solution to authorization (even if encrypted). does not store the full contents of any track from the magnetic No Moderate
Sensitive authentication data includes the data as cited in stripe, the card-validation code or value used to verify card-not- Low
the following Requirements 3.2.1 through 3.2.3: present transactions, or the personal identification number
(PIN) or the encrypted PIN block. Recommended Action:
3.2.1 Do not store the full contents of any track from contact your terminal provider and request that they verify this
the magnetic stripe (that is on the back of a card, to you in writing.
in a chip or elsewhere). This data is alternatively
called full track, track, track 1, track 2, and Hosted Solutions: Hosted solutions that are PCI DSS
magnetic stripe data compliant do not store sensitive authentication data subsequent
3.2.2 Do not store the card-validation code or value to authorization. Recommended Action: verify that your service
(three-digit or four-digit number printed on the provider is PCI DSS compliant by reviewing Visa’s list of
front or back of a payment card) used to verify compliant service providers or request proof of compliance
card-not-present transactions from the service provider in writing.
3.2.3 Do not store the personal identification number
(PIN) or the encrypted PIN block.
Terminal 3.3 Mask PAN (account number) when displayed (the Terminals: verify that, at a minimum, credit card numbers are Yes High
Hosted Solution first six and last four digits are the maximum number of truncated on customer receipts and documentation. No Moderate
digits to be displayed). Low
Note: This requirement does not apply to employees and Hosted Solutions: verify that, at a minimum, credit card
other parties with a specific need to see the full PAN; nor numbers are truncated on customer receipts/documentation.
does the requirement supersede stricter requirements in Review screens and reports available to staff through the hosted
place for displays of cardholder data (for example, for solution to verify that credit card numbers are masked.
point of sale [POS] receipts).
Terminal 4.1 Use strong cryptography and security protocols such Terminals: if your terminal uses a dedicated landline, this is Yes High
Hosted Solution as secure sockets layer (SSL) / transport layer security not an issue. However, if your organization is using Voice Over No Moderate
(TLS) and Internet protocol security (IPSEC) to safeguard IP (VOIP) for communication verify that all transmissions are N/A Low
sensitive cardholder data during transmission over open, encrypted (review system documentation/ manuals and confirm
public networks. Examples of open, public networks that with your vendor that processing software is set to encrypt
are in scope of the PCI DSS are the Internet, WiFi (IEEE transmissions).
802.11x), global system for mobile communications
(GSM), and general packet radio service (GPRS). Hosted Solution: verify through review of system
documentation/manuals and confirmation with your vendor that
all sessions are encrypted. Review screens available to staff to
determine if encryption is active (click on small yellow padlock
in the lower right corner of the screen to verify).
Best Practice: Use a vendor that has certified PCI DSS
compliance for their software or hosted solution. A list of
certified software solutions can be found at Validated Payment
465b035c-f2d2-4d27-ac5a-cc086384d55f.doc Page 5
Applications. Compliant service providers are listed at Visa
Compliant Service Providers.
Applicability PCI DSS Section Risk Assessment Complies? Risk Level Describe How You Comply OR Document
Remediation Plan
Terminal 4.1.1 For wireless networks transmitting cardholder data, Terminals: this is only applicable if you use a wireless Yes High
Hosted Solution encrypt the transmissions by using WiFi protected access terminal, or if your terminal has this capability. If your terminal No Moderate
(WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. uses wireless communication or can use this option, verify that N/A Low
Never rely exclusively on wired equivalent privacy all transmissions are encrypted or that this option is disabled for
(WEP) to protect confidentiality and access to a wireless your terminal (review system documentation/ manuals and
LAN. If WEP is used, do the following: confirm with your vendor that processing software is set to
encrypt transmissions or option is disabled).
• Use with a minimum 104-bit encryption key and 24 bit-
initialization value Hosted Solutions: this is only applicable if you use a wireless
• Use ONLY in conjunction with WiFi protected access network to access the hosted solution, or could use your
(WPA or WPA2) technology, VPN, or SSL/TLS network’s wireless functionality to do so. Verify through
• Rotate shared WEP keys quarterly (or automatically if discussion with your Information Systems group that your
the technology permits) wireless network meets the encryption requirements of 4.1.1 or
• Rotate shared WEP keys whenever there are changes in verify through review of internal policies/procedures that access
personnel with access to keys via wireless is strictly prohibited.
• Restrict access based on media access code (MAC)
address.
Terminal 4.2 Never send unencrypted PANs by e-mail. Review policies/procedures addressing the use of e-mail. Yes High
Hosted Solution Ensure that the transmission of debit/credit card numbers via e- No Moderate
mail is specifically prohibited unless the sender has the ability Low
to encrypt e-mail. If e-mail encryption is available, ensure that
the policy/procedure requires staff to encrypt all e-mail
containing debit/credit card numbers. Talk with staff members
responsible for debit/credit card transaction processing to
ensure that they are aware of this requirement.
Terminal 5.1 Deploy anti-virus software on all systems commonly Hosted Solutions: talk with your Information Technology Yes High
Hosted Solution affected by viruses (particularly personal computers and group to verify that personal computers and servers used to No Moderate
servers) Note: Systems commonly affected by viruses access the hosted solution have anti-virus programs installed Low
typically do not include UNIX-based operating systems or that are capable of detecting, removing, and protecting against
mainframes. viruses and other forms of malicious software, including
spyware and adware.
5.1.1 Ensure that anti-virus programs are capable of
detecting, removing, and protecting against other
forms of malicious software, including spyware
and adware.
Terminal 5.2 Ensure that all anti-virus mechanisms are current, Hosted Solutions: talk with your Information Technology Yes High
Hosted Solution actively running, and capable of generating audit logs. group to verify that anti-virus programs cannot be modified or No Moderate
turned off by non-IT staff members, and that they are set to Low
update automatically (or, at a minimum, at least once every 24
465b035c-f2d2-4d27-ac5a-cc086384d55f.doc Page 6
hours). Review several machines used to access the hosted
solution and verify that anti-virus software is current, actively
running and capable of generating audit logs.
Applicability PCI DSS Section Risk Assessment Complies? Risk Level Describe How You Comply OR Document
Remediation Plan
Terminal 7.1 Limit access to computing resources and cardholder Hosted Solutions: Verify that written policies/procedures Yes High
Hosted Solution information only to those individuals whose job requires addressing debit/credit card processing and access control exist, No Moderate
such access. and incorporate the following: Low
Staff access rights must be limited to the least
privileges necessary to perform their assigned job
functions.
Assignment of privileges is based on the staff
member’s job classification and function
An authorization form signed by the staff member’s
manager that specifies required privileges (or a process
that is equivalent and documented in writing) is
required for access.
A requirement that any solution used must include an
automated access control system that supports access
levels based on job function.
Terminal 7.2 Establish a mechanism for systems with multiple users Hosted Solutions: Examine system settings and vendor Yes High
Hosted Solution that restricts access based on a user’s need to know and is documentation to verify that an access control system is No Moderate
set to “deny all” unless specifically allowed. implemented and that is includes the following: Low
Coverage of all system components (for example,
transaction entry screens, reporting, and system
administration)
Assignment of privileges to individuals based on job
classification and function
Default “deny-all” setting (some access control
systems are set by default to “allow-all” thereby
permitting access unless/until a rule is written to
specifically deny it)
Terminal 8.1 Identify all users with a unique user name before Hosted Solution: Obtain a current listing of all user IDs and Yes High
Hosted Solution allowing them to access system components or cardholder verify that all users have a unique username for access to No Moderate
data. system components or cardholder data. Low
Terminal 8.2 In addition to assigning a unique ID, employ at least Hosted Solution: Obtain and examine system documentation Yes High
Hosted Solution one of the following methods to authenticate all users: and written policies/procedures describing the authentication No Moderate
method used to obtain access to the hosted solution. For each Low
• Password level of access (i.e. transaction processing, refunding,
• Token devices (e.g., SecureID, certificates, or public administration) observe a staff member signing on to the hosted
key) solution to verify that authentication is functioning consistent
• Biometrics. with documented processes (for example, verify that each user
must enter their user ID and password to gain access to the
465b035c-f2d2-4d27-ac5a-cc086384d55f.doc Page 7
system).
465b035c-f2d2-4d27-ac5a-cc086384d55f.doc Page 8
Applicability PCI DSS Section Risk Assessment Complies? Risk Level Describe How You Comply OR Document
Remediation Plan
Terminal 8.5 Ensure proper user authentication and password Hosted Solutions: Review written policies/procedures and Yes High
Hosted Solution management for non-consumer users and administrators interview personnel to verify that procedures are implemented No Moderate
on all system components as follows: for user authentication and password management. Perform the Low
following tests as part of this process:
8.5.1 Control addition, deletion, and modification of Select a sample of user IDs, including both administrators and Yes High
user IDs, credentials, and other identifier objects general users. Verify that each user is authorized to use the No Moderate
system (examine the signed authorization form and compare to Low
system access settings)
8.5.2 Verify user identity before performing password Examine password procedures and observe security personnel Yes High
resets to verify that, if a user requests a password reset by phone, e- No Moderate
mail, web, or other non-face-to-face method, the user’s identity Low
is verified before the password is reset.
8.5.3 Set first-time passwords to a unique value for Examine password procedures and observe security personnel Yes High
each user and change immediately after the first to verify that first-time passwords for new users are set to a No Moderate
use unique value for each user and changed after first use. Low
8.5.4 Immediately revoke access for any terminated Select a sample of employees terminated in the past six months Yes High
users and review current user access lists to verify that their IDs were No Moderate
inactivated or removed within 24 hours of termination. Low
8.5.5 Remove inactive user accounts at least every 90 Review a current listing of user IDs and verify that there are no Yes High
days inactive accounts over 90 days old. No Moderate
Low
8.5.7 Communicate password procedures and policies Interview several staff members to verify that they are familiar Yes High
to all users who have access to cardholder data with password procedures and policies. No Moderate
Low
8.5.8 Do not use group, shared, or generic accounts Examine access policies/procedures to verify that group and Yes High
and passwords shared IDs/passwords are explicitly prohibited. Interview No Moderate
system administrators to verify that group and shared Low
IDs/passwords are not distributed, even if requested by
management.
8.5.9 Change user passwords at least every 90 days Review user documentation provided by the vendor to verify Yes High
that user passwords are required to change at least every 90 No Moderate
days, and that users are given guidance as to when, and under Low
what circumstances, passwords must change.
8.5.10 Require a minimum password length of at least Review user documentation provided by the vendor to verify Yes High
seven characters that user passwords are required to meet minimum length No Moderate
requirements (at least seven characters). Low
8.5.11 Use passwords containing both numeric and Review user documentation provided by the vendor to verify Yes High
alphabetic characters that user passwords are required to contain both numeric and No Moderate
alphabetic characters. Low
465b035c-f2d2-4d27-ac5a-cc086384d55f.doc Page 9
Applicability PCI DSS Section Risk Assessment Complies? Risk Level Describe How You Comply OR Document
Remediation Plan
8.5.12 Do not allow an individual to submit a new Review user documentation provided by the vendor to verify Yes High
password that is the same as any of the last four that new user passwords cannot be the same as the previous No Moderate
passwords he or she has used four passwords. Low
8.5.13 Limit repeated access attempts by locking out Review user documentation provided by the vendor to verify Yes High
the user ID after not more than six attempts that user accounts are temporarily locked-out after no more than No Moderate
six invalid access attempts. Low
8.5.14 Set the lockout duration to thirty minutes or Review user documentation provided by the vendor to verify Yes High
until administrator enables the user ID that once a user is locked out, they remain locked out for at No Moderate
least 30 minutes or until an administrator resets their account. Low
8.5.15 If a session has been idle for more than 15 Review user documentation provided by the vendor to verify Yes High
minutes, require the user to re-enter the password that system/session idle time out features have been set to 15 No Moderate
to re-activate the terminal minutes or less. Low
Terminal 9.6 Physically secure all paper and electronic media Terminals: ensure that terminals are physically secured when Yes High
Hosted Solution (including computers, electronic media, networking and not in use. Ensure that all staff members are trained on terminal No Moderate
communications hardware, telecommunication lines, use, and how to identify signs of tampering. Verify that paper Low
paper receipts, paper reports, and faxes) that contain and electronic media containing full debit/credit card numbers
cardholder data. is stored in a secure location (locked filing cabinet or office,
secure filing room).
Hosted Solution: Ensure that PCs used to process debit/credit
card transactions are not accessible to the public, and that staff
are required to log off or initiate a password-protected screen
saver when leaving the PC’s physical location. Ensure that all
staff members are trained on how to identify signs of tampering
(i.e. new hardware devices “attached” to the PC). Ensure that
receipts, documents and reports generated by the hosted
solution do not contain full debit/credit card numbers. Verify
that paper and electronic media containing full debit/credit card
numbers is stored in a secure location (locked filing cabinet or
office, secure filing room). Do not store electronic files
(spreadsheets, imaged documents, word processing documents,
etc) with full debit/credit card numbers on your network or PC
hard drive unless they are secured through access control and
encryption.
Note: keys and other “access” devices such as key cards must
also be secured. If all staff know their location, or can readily
obtain them, this requirement is not met.
465b035c-f2d2-4d27-ac5a-cc086384d55f.doc Page 10
Applicability PCI DSS Section Risk Assessment Complies? Risk Level Describe How You Comply OR Document
Remediation Plan
Best Practice: limit storage of full debit/credit card numbers to
what is absolutely necessary to conduct business. Do not store
full debit/credit card numbers in any format (database, word or
spreadsheet documents, imaged documents, etc) on your
network or PC hard drive. Identify business processes that
currently require the retention of this information, and work
with internal support staff, your vendor and the Office of the
State Treasurer to identify options to reduce or eliminate
storage.
Terminal 9.7 Maintain strict control over the internal or external Review debit/credit card processing policies/procedures to Yes High
Hosted Solution distribution of any kind of media that contains cardholder verify that procedures exist to control distribution of media No Moderate
data including the following: (hard copy and electronic) containing cardholder data. Low
9.7.1 Classify the media so it can be identified as Select a sample of debit/credit card transactions and verify that
confidential supporting documents that include full debit/credit card
9.7.2 Send the media by secured courier or other numbers are identified as “confidential” and stored securely.
delivery method that can be accurately tracked.
If media is sent off site, ensure that a log is kept of all off site
media, and media is transported by secured courier or another
delivery method that can be accurately tracked.
Terminal 9.9 Maintain strict control over the storage and Review policies/procedures addressing the maintenance and Yes High
Hosted Solution accessibility of media that contains cardholder data. storage of hardcopy and electronic media containing cardholder No Moderate
data and verify that periodic media inventories are required. Low
9.9.1 Properly inventory all media and make sure it is Obtain and review documentation of the last inventory
securely stored. conducted, and review inventory processes to verify that media
was securely stored at the time the inventory was conducted.
Terminal 9.10 Destroy media containing cardholder data when it is Review policies/procedures addressing the destruction of media Yes High
Hosted Solution no longer needed for business or legal reasons as follows: containing cardholder data. Confirm the following: No Moderate
All hard copy materials must be cross-cut shredded, Low
9.10.1 Cross-cut shred, incinerate, or pulp hardcopy incinerated, or pulped.
materials Storage containers used for media to be destroyed are
9.10.2 Purge, degauss, shred, or otherwise destroy secure (containers are locked; individuals cannot reach
electronic media so that cardholder data cannot be through opening and pull out documents)
reconstructed. All electronic media (backup tapes, CDs, thumb
drives) is destroyed beyond recovery by using a
military wipe program to delete files, or via degaussing
or otherwise physically destroying the media.
465b035c-f2d2-4d27-ac5a-cc086384d55f.doc Page 11
Applicability PCI DSS Section Risk Assessment Complies? Risk Level Describe How You Comply OR Document
Remediation Plan
Terminal 12.1 Establish, publish, maintain, and disseminate a Obtain and examine the organization’s security policy Yes High
Hosted Solution security policy that accomplishes the following: addressing debit/credit card transaction. Ensure that this No Moderate SEE:
policy: Low http://oregonstate.edu/dept/budgets/FISManual/FIS1401-
12.1.1 Addresses all requirements in this Requires the organization and all relevant staff 06.htm
specification members to maintain compliance with PCI DSS.
12.1.2 Includes an annual process that identifies Requires the organization to complete an annual risk
threats and vulnerabilities, and results in a assessment addressing debit/credit card activity.
formal risk assessment Requires staff to review the policy at least once a
12.1.3 Includes a review at least once a year and year and whenever the card processing environment
updates when the environment changes. or business objectives changes.
Terminal 12.2 Develop daily operational security procedures that Obtain and review daily operating procedures for debit/credit Yes High
Hosted Solution are consistent with requirements in this specification card transaction processing. Verify that procedures are No Moderate
(for example, user account maintenance procedures, consistent with PCI DSS requirements, and include guidance Low
and log review procedures). for both administrators and regular users.
Terminal 12.4 Ensure that the security policy and procedures Verify that debit/credit card security policies/procedures Yes High SEE:
Hosted Solution clearly define information security responsibilities for clearly define information security responsibilities for No Moderate http://oregonstate.edu/dept/budgets/FISManual/FIS1401-
all employees and contractors employees and any 3rd party contractors hired to process Low 06.htm
debit/credit card transactions on behalf of the organization.
Terminal 12.5 Assign to an individual or team the following Verify that the organization has formally assigned (i.e. within Yes High SEE:
Hosted Solution information security management responsibilities: written policies or position descriptions) responsibility for No Moderate http://oregonstate.edu/dept/budgets/FISManual/FIS1401-
debit/credit card transaction security to one or more members Low 06.htm
12.5.1 Establish, document, and distribute security of management. Formally assigned duties must include:
policies and procedures The development and distribution of security
12.5.2 Monitor and analyze security alerts and policies and procedures related to debit/credit card
information, and distribute to appropriate transactions.
personnel The monitoring and analysis of security alerts and
12.5.3 Establish, document, and distribute security information, including the distribution of this
incident response and escalation procedures to information to IT and business managers & staff.
ensure timely and effective handling of all The development, distribution and formal testing of
situations incident response and escalation procedures in the
12.5.4 Administer user accounts, including event of a debit/credit card data breach
additions, deletions, and modifications Administration of user accounts, including user
12.5.5 Monitor and control all access to data. authentication, additions, deletions and
modifications of user access.
Responsibility for monitoring and controlling all
access to data.
465b035c-f2d2-4d27-ac5a-cc086384d55f.doc Page 12
Applicability PCI DSS Section Risk Assessment Complies? Risk Level Describe How You Comply OR Document
Remediation Plan
Terminal 12.6 Implement a formal security awareness program to Verify the existence of a formal security awareness program Yes High SEE:
Hosted Solution make all employees aware of the importance of for all employees. Obtain and examine security awareness No Moderate http://oregonstate.edu/dept/budgets/FISManual/FIS1401-
cardholder data security. program procedures and documentation and perform the Low 06.htm
following:
12.6.1 Educate employees upon hire and at least Verify that the program provides multiple methods
annually (for example, by letters, posters, of communicating awareness and educating users
memos, meetings, and promotions) (for example, posters, e-mails, letters and formal
12.6.2 Require employees to acknowledge in meetings)
writing that they have read and understood the Interview several users to verify that they attended
company’s security policy and procedures. awareness training upon hire and at least annually
thereafter.
Select a sample of users and obtain
acknowledgement forms to verify that they have
read and agreed to the organization’s security
policies and procedures.
Terminal 12.7 Screen potential employees to minimize the risk of Contact the Human Resources representative and verify that Yes High SEE:
Hosted Solution attacks from internal sources. background checks are conducted on potential employees No Moderate http://oregonstate.edu/dept/budgets/FISManual/FIS1401-
For those employees such as store cashiers who only who will have access to cardholder data (i.e. access to files or Low 06.htm
have access to one card number at a time when reports with full debit/credit card numbers; access to hosted
facilitating a transaction, this requirement is a systems that allow users to view, report on, or download full
recommendation only. debit/credit card numbers). Background checks may include
pre-employment verification of application data, criminal
background checks, credit history checks, and reference
checks, but do not have to include all of these areas if not
allowed by law, labor contract, or organizational policy.
Best Practice: while not required for staff that do not have
access to cardholder data, it is always advisable to perform
some level of background verification on potential employees
such as verification of application data and reference checks.
Terminal 12.8 If cardholder data is shared with service providers, Obtain the contract or user agreement between the Yes High
Hosted Solution then contractually the following is required: organization and the 3rd party vendor providing debit/credit No Moderate
card transaction processing services. Verify that the Low
12.8.1 Service providers must adhere to the PCI contract/agreement contains provisions requiring the 3rd party
DSS requirements vendor to maintain compliance with PCI DSS and
12.8.2 Agreement that includes an acknowledgement that the vendor is responsible for the
acknowledgement that the service provider is security of cardholder data in its possession.
responsible for the security of cardholder data
the provider possesses.
465b035c-f2d2-4d27-ac5a-cc086384d55f.doc Page 13
Applicability PCI DSS Section Risk Assessment Complies? Risk Level Describe How You Comply OR Document
Remediation Plan
Best Practice: in addition, contracts/agreements should
address the following:
Liability of the vendor in the event of a data breach
that can be traced to the actions or inaction of the
vendor (i.e. responsibility for payment of fines,
penalties, lawsuits and other costs that may be
incurred by the organization as a result of the
vendor’s breach)
Requirement that the vendor must inform the
organization within 24 hours if it has knowledge of,
or can reasonably expect that, a breach has
occurred.
Terminal 12.9 Implement an incident response plan. Be prepared Obtain the Incident Response Plan for debit/credit card data Yes High SEE:
Hosted Solution to respond immediately to a system breach. breaches and verify that: No Moderate http://oregonstate.edu/dept/budgets/FISManual/FIS1401-
Staff member roles, responsibilities and Low 06.htm
12.9.1 Create the incident response plan to be communication strategies in the event of a data
implemented in the event of system breach are clearly documented.
compromise. Ensure the plan addresses, at a The plan addresses all likely data breach scenarios
minimum, specific incident response (for example: missing/lost terminal, loss of hard
procedures, business recovery and continuity copy records or electronic media, compromise of
procedures, data backup processes, roles and terminal or PC used to access hosted solution, data
responsibilities, and communication and breach at 3rd party vendor)
contact strategies (for example, informing the The plan requires notification to credit card
Acquirers and credit card associations) associations, the acquirer bank, the Office of the
State Treasurer, and the 3rd party vendor (if they do
not already know)
The plan addresses strategy for business continuity
following the breach
The plan references or includes incident response
procedures from the card associations
The plan addresses any additional notifications or
actions that must be taken to comply with legal
requirements (i.e. requirements of Senate Bill 583 or
requirements stated in a contract/agreement with the
vendor)
Terminal 12.9.2 Test the plan at least annually Verify that the plan is tested at least annually by reviewing Yes High SEE:
Hosted Solution documentation/notes from the last test conducted. No Moderate http://oregonstate.edu/dept/budgets/FISManual/FIS1401-
Low 06.htm
Terminal 12.9.4 Provide appropriate training to staff with Verify through observation and/or review of policies that Yes High SEE:
465b035c-f2d2-4d27-ac5a-cc086384d55f.doc Page 14
Hosted Solution security breach response responsibilities staff with security breach responsibilities receive training at No Moderate http://oregonstate.edu/dept/budgets/FISManual/FIS1401-
least once a year. Low 06.htm
465b035c-f2d2-4d27-ac5a-cc086384d55f.doc Page 15
Applicability PCI DSS Section Risk Assessment Complies? Risk Level Describe How You Comply OR Document
Remediation Plan
Terminal 12.9.5 Include alerts from intrusion detection, Interview staff with security breach responsibilities to Yes High SEE:
Hosted Solution intrusion prevention, and file integrity determine if IT Security staff have a process in place to No Moderate http://oregonstate.edu/dept/budgets/FISManual/FIS1401-
monitoring systems communicate intrusion detection, intrusion prevention, and Low 06.htm
file integrity monitoring system alerts with them that could
indicate an actual or potential breach of cardholder data.
Terminal 12.9.6 Develop process to modify and evolve the Verify through discussion with relevant staff and/or review Yes High SEE:
Hosted Solution incident response plan according to lessons of security policies that the incident response plan is No Moderate http://oregonstate.edu/dept/budgets/FISManual/FIS1401-
learned and to incorporate industry reviewed/updated at least annually, and that lessons learned Low 06.htm
developments. and new industry developments are incorporated into the
plan.
465b035c-f2d2-4d27-ac5a-cc086384d55f.doc Page 16
