All passwords to systems that access credit card information/transactions must conform to Cornell University's password complexity guidelines. Passwords must be set to expire after no longer than 90 days and must be changed. Users cannot submit a new password that is the same as any of the last four passwords they have used.
Wherever passwords are stored, they are strongly encrypted. Strong encryption is defined as cryptography based on industry-tested and accepted algorithms, along with strong key lengths and proper key-management practices. Cryptography is a method to protect data and includes both encryption (which is reversible) and hashing (which is not reversible, or Äúone way‚ Äù). SHA-1 is an example of an industry-tested and accepted hashing algorithm. Examples of industry-tested and accepted standards and algorithms for encryption include AES (128 bits and higher), TDES (minimum double-length keys), RSA (1024 bits and higher), ECC (160 bits and higher), and ElGamal (1024 bits and higher). For more information, see the National Institute of Standards and Technology (NIST) Special Publication 800-57.
Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
“Sensitive areas” refers to any data center, server room, or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of-sale terminals are present, such as the cashier areas in a retail store.
Make sure all visitors are...
A “visitor” is defined as a vendor, a guest of an employee, service personnel, or anyone who needs to enter the facility for a short duration, usually not more than one day.
- Classify media so it can be identified as confidential
- Ship media by secured courier or other delivery method that can be accurately tracked
- Obtain management approval for moving any and all media containing cardholder data from a secured area (especially when media is distributed to individuals)
- Maintain strict control over the storage and accessibility of media that contains cardholder data
- Properly maintain inventory logs of all media and conduct media inventories at least annually
- Shred, incinerate, or pulp hard-copy materials so that cardholder data cannot be reconstructed
- Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed
To maintain compliance with PCI DSS, units must never store sensitive information relating to credit card transactions. Units should analyze carefully why it is “necessary” to keep data that requires encryption, firewalling, special handling, and strict adherence to restrictive business practices and expansive technical solutions. Thoroughly explore other means to achieve the same goals without storing sensitive data and/or consult the Cash Management Office.
The Card Verification Code or Value ( CVC, CVV, et al.) is only necessary when your customer is entering it on your Web site. Units are prohibited from asking for this information when designing pamphlets or any materials that go out to prospective customers. Refer to the Data That Must Never Be Stored below. If you currently have forms, literature, etc. that requests this information, you must amend and eliminate that request.
Note: For further details, see University Policy 3.17, Accepting Credit Cards to Conduct University Business.
- One-way hashes based on strong cryptography
- Index tokens and pads (pads must be securely stored)
- Strong cryptography with associated key-management processes and procedures
Units should consult with technical staff to implement the requirements for storing data securely. The minimum account information that must be rendered unreadable is the PAN.
Units must protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse:
Units must also fully document and implement all key-management processes and procedures, including the generation, distribution, and storage of secure cryptographic keys used for encrypting cardholder data.
All systems storing cardholder data must have the following:
Additionally, system passwords must conform to the rules stated in University Policy 3.17, Accepting Credit Cards to Conduct University Business.
Servers must be housed in the CIT server farm. If servers are not housed in the CIT server farm, they must be housed in a facility that restricts physical access such that:
Please refer to "Decommissioning of Computer Systems and Electronic Media Devices" in the Procedures of University Policy 3.17, Accepting Credit Cards to Conduct University Business.