University Treasurer

To assist units in creating a compliant network infrastructure, CIT will maintain a PCI-compliant network that will satisfy many of the network-based PCI requirements. Units running systems that must be PCI-compliant will logically route those systems through this server to enable the server to enforce the necessary PCI rules upon the devices and any traffic to and from them. To connect to the security server, each unit will purchase a small virtual private networking (VPN) device that will be configured by CIT to create a private network between it and the central security server. This configuration will allow such private networks to be deployed anywhere on the Cornell campus or on the Internet. (Remote offices or traveling staff members can easily deploy the small VPN device wherever they are.) Any system, from point-of-sale systems to desktop systems to Web servers, must reside behind these VPN devices.

Each unit is required to create and maintain documentation that is specific to the unit’s network and firewall configuration, business practices and procedures, list of authorized personnel that are involved in any facet of credit card operations. This documentation must be shared with employees and updated when changes occur. Detailed documentation is a critical component of compliance and an essential tool should a breach occur.

Maintaining Audit Trails and Logging

Units connecting to CIT's Central PCI-Compliant Network must do the following:

• Perform a yearly inventory of all storage media, and keep a log documenting that inventory
• Maintain a visitor log to keep a physical audit trail of visitor activity. The log must document the visitor's name, their affiliation, and the employee authorizing physical access. This log must be retained for a minimum of three months.
• Keep automated audit trails for all system components, reconstructing the following events:
  

• All individual accesses to cardholder data
• All actions taken by any individual with root or administrative privileges
• Access to all audit trails
• Invalid logical access attempts
• Use of identification and authentication mechanisms
• Initialization of the audit logs 
• Creation and deletion of system-level objects

• Record the following audit trail entries for all system components for each audit event:

• User identification
• Type of event
• Date and time
• Success or failure indication
• Origination of event
• Identity or name of affected data, system component, or resource
  

• Synchronize all system clocks and times are synchronized
• Secure audit trails so they cannot be altered without proper authorization, and limit access to audit trails only to those with a job-related need to access them
• Write and back up audit logs to centralized log servers or media
• Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (though new data being added to the log will not cause an alert)
• Review all logs at least daily, including logs for all components of the PCI infrastructure
• Retain audit trail histories for at least one year, with a minimum of three months immediately available for analysis

Monitoring and Testing of Network

System activity logs are critical in preventing, detecting, or minimizing the impact of a data comprise. Logs must be checked daily, at a minimum. Audit trail history must be retained for one year, with a strong recommendation that the most current quarter be readily available in the event of a compromise.