University Treasurer

• Establishing Passwords and Accounts
• Limiting Physical Access to Cardholder Data
• Storing Data
• Maintaining Servers
• Securing Servers
• Decommissioning Computer Systems and Electronic Media Devices

All passwords to systems that access credit card information/transactions must conform to Cornell University's password complexity guidelines. Passwords must be set to expire after no longer than 90 days and must be changed. Users cannot submit a new password that is the same as any of the last four passwords they have used.

Wherever passwords are stored, they are strongly encrypted. Strong encryption is defined as cryptography based on industry-tested and accepted algorithms, along with strong key lengths and proper key-management practices. Cryptography is a method to protect data and includes both encryption (which is reversible) and hashing (which is not reversible, or Äúone way‚ Äù). SHA-1 is an example of an industry-tested and accepted hashing algorithm. Examples of industry-tested and accepted standards and algorithms for encryption include AES (128 bits and higher), TDES (minimum double-length keys), RSA (1024 bits and higher), ECC (160 bits and higher), and ElGamal (1024 bits and higher). For more information, see the National Institute of Standards and Technology (NIST) Special Publication 800-57.

Requirements for Compliance

• Review and remove unnecessary accounts from the list of user accounts
• Change all default or vendor-supplied passwords, encryption keys, and SNMP community strings
• Do not share user accounts. Each user must have a unique account
• Limit repeated failed access attempts to no more than six. After six failed attempts, the account must be locked for no less than 30 minutes or until an administrator enables the user account
• Require users to re-enter their passwords to reactivate sessions that are idle for more than 15 minutes. For example, use password-protected screen savers
• Authenticate all access to any database containing cardholder data, including access by applications, administrators, and all users
• Communicate the rules regarding passwords and account management to users during their yearly PCI training

Top

Monitor Physical Access

Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.

• Use video cameras or other access control mechanisms to monitor individual physical access to sensitive areas. Store media for at least three months, unless otherwise restricted by law.
• Protect video cameras or other mechanisms from tampering or disabling.
• Restrict physical access to publicly accessible network jacks.
• Restrict physical access to wireless access points, gateways, and handheld devices.
  

“Sensitive areas” refers to any data center, server room, or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of-sale terminals are present, such as the cashier areas in a retail store.

Restrict and Monitor Visitor Activity

Make sure all visitors are...

• Authorized before entering areas where cardholder data is processed or maintained.
• Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees.
• Asked to surrender the physical token before leaving the facility or at the date of expiration.
• Recorded in a visitor log to maintain a physical audit trail of visitor activity. Document the visitor’s name, the firm represented, and the employee authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise  restricted by law.
  

A “visitor” is defined as a vendor, a guest of an employee, service personnel, or anyone who needs to enter the facility for a short duration, usually not more than one day.

Secure All Media

• Store media back-up in a secure off-site location. Review the location’s security at least annually
• Physically secure all paper and electronic media that contain cardholder data
• Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data by the following means:
  

• Classify media so it can be identified as confidential
• Ship media by secured courier or other delivery method that can be accurately tracked
• Obtain management approval for moving any and all media containing cardholder data from a secured area (especially when media is distributed to individuals)
• Maintain strict control over the storage and accessibility of media that contains cardholder data
• Properly maintain inventory logs of all media and conduct media inventories at least annually
• Shred, incinerate, or pulp hard-copy materials so that cardholder data cannot be reconstructed
• Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed

Top

To maintain compliance with PCI DSS, units must never store sensitive information relating to credit card transactions. Units should analyze carefully why it is “necessary” to keep data that requires encryption, firewalling, special handling, and strict adherence to restrictive business practices and expansive technical solutions. Thoroughly explore other means to achieve the same goals without storing sensitive data and/or consult the Cash Management Office.

Collecting Data

The Card Verification Code or Value ( CVC, CVV, et al.) is only necessary when your customer is entering it on your Web site. Units are prohibited from asking for this information when designing pamphlets or any materials that go out to prospective customers. Refer to the Data That Must Never Be Stored below. If you currently have forms, literature, etc. that requests this information, you must amend and eliminate that request.

Data That Must Never Be Stored

• Full contents of any track from a magnetic stripe
• Card Verification Codes or Values (CAV2/CVC2/CVV2/CID numbers) – the three digit number from back of the card
• Personal Identification Number (PIN/PIN Block)

Note: For further details, see University Policy 3.17, Accepting Credit Cards to Conduct University Business.

Data That Can Be Stored

• The last four digits of the primary account number (PAN) - the number must be masked except for the last four digits anywhere it is stored (this includes all portable devices, logs, backup media, A/P systems, etc.).  This information may be stored in the following ways:

• One-way hashes based on strong cryptography
• Truncation
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key-management processes and procedures

Protecting Stored Data

Units should consult with technical staff to implement the requirements for storing data securely. The minimum account information that must be rendered unreadable is the PAN.

Units must protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse:

• Restrict access to cryptographic keys to the fewest number of custodians necessary
• Store cryptographic keys securely in the fewest possible locations and forms

Units must also fully document and implement all key-management processes and procedures, including the generation, distribution, and storage of secure cryptographic keys used for encrypting cardholder data.

Top

All systems storing cardholder data must have the following:

• Antivirus software that is regularly updated (if available for the OS).
• Firewall software, either the default firewall included with the operating system or a third-party package.
• Intrusion detection software.  (This can be coupled with the firewall software.)
• Integrity monitoring software, such as Tripwire, that are monitoring critical system files.

Additionally, system passwords must conform to the rules stated in University Policy 3.17, Accepting Credit Cards to Conduct University Business.

System Maintenance Requirements

• Operating systems and applications must be regularly updated with vendor-supplied critical security patches within one month of the patches being published. All patches must be tested before they are deployed.
• Any system used to process credit card transactions must be dedicated to processing credit cards. These systems must not be used as general productivity systems. Access to these systems must be restricted only to those staff members whose job requires such access. Physical security to these systems must be restricted and monitored.
• System logging must be enabled and reviewed regularly. For example, for Windows systems, the System, Application, and Security logs must be enabled. The audit history must be maintained for one year, with at least three months available for immediate analysis. Application logging for Web and database applications must be enabled and actively monitored.
• System clocks must be synchronized via Network Time Protocol (NTP).
• Servers must be scanned for vulnerabilities quarterly. This scan includes scans for vulnerabilities in the operating system as well as in any services running on the system, such as Web applications.
• Each server must have only one primary function.
• All unnecessary functionality must be disabled or removed.
• The system security must be configured based on current best practices.
• All non-console administrative access must be encrypted.
• Servers must be housed in a physically secure environment.

Top

Servers must be housed in the CIT server farm. If servers are not housed in the CIT server farm, they must be housed in a facility that restricts physical access such that:

• Only those staff members whose job requires such access can gain access to the systems
• All accesses are logged and/or monitored through card access systems, video cameras, etc.
• Visitors are logged and have a token indicating they are visitors
• Back-up media is logged, stored within a secure environment, and destroyed based on a predetermined schedule

Top

Please refer to "Decommissioning of Computer Systems and Electronic Media Devices" in the Procedures of University Policy 3.17, Accepting Credit Cards to Conduct University Business.

Top