Units that are maintaining a network and system architecture used to process credit card transactions must complete a diagram or description of the PCI-related environment being used.
The diagram or description must include the following information:
- What systems are in the PCI environment, including servers, desktops, and networking gear.
- What applications are running. Include servers, like Web servers or ssh servers, as well as specific applications that might run on those servers, such as a shopping cart product that runs in the Web server.
- Where the credit card data is stored, how it is stored, and how it is encrypted.
- What path the credit card data takes as it is processed.
- What connections can be made into and out of the PCI environment. Indicate specific protocols being used.
- Where any firewalls, intrusion detection systems (IDSs), or other hardware connect into the environment.
Connecting to the CIT PCI-Compliant Network
To assist units in creating a compliant network infrastructure, CIT will maintain a PCI-compliant network that will satisfy many of the network-based PCI requirements. Units running systems that must be PCI-compliant will logically route those systems through this server to enable the server to enforce the necessary PCI rules upon the devices and any traffic to and from them. To connect to the security server, each unit will purchase a small virtual private networking (VPN) device that will be configured by CIT to create a private network between it and the central security server. This configuration will allow such private networks to be deployed anywhere on the Cornell campus or on the Internet. (Remote offices or traveling staff members can easily deploy the small VPN device wherever they are.) Any system, from point-of-sale systems to desktop systems to Web servers, must reside behind these VPN devices.
Required Documentation
Each unit is required to create and maintain documentation that is specific to the unit’s network and firewall configuration, business practices and procedures, list of authorized personnel that are involved in any facet of credit card operations. This documentation must be shared with employees and updated when changes occur. Detailed documentation is a critical component of compliance and an essential tool should a breach occur.
Maintaining Audit Trails and Logging
Units connecting to CIT's Central PCI-Compliant Network must do the following:
- Perform a yearly inventory of all storage media, and keep a log documenting that inventory
- Maintain a visitor log to keep a physical audit trail of visitor activity. The log must document the visitor's name, their affiliation, and the employee authorizing physical access. This log must be retained for a minimum of three months.
- Keep automated audit trails for all system components, reconstructing the following events:
- All individual accesses to cardholder data
- All actions taken by any individual with root or administrative privileges
- Access to all audit trails
- Invalid logical access attempts
- Use of identification and authentication mechanisms
- Initialization of the audit logs
- Creation and deletion of system-level objects
- Record the following audit trail entries for all system components for each audit event:
- Identity or name of affected data, system component, or resource
- Origination of event
- Success or failure indication
- Date and time
- Type of event
- User identification
- Synchronize all system clocks and times are synchronized
- Secure audit trails so they cannot be altered without proper authorization, and limit access to audit trails only to those with a job-related need to access them
- Write and back up audit logs to centralized log servers or media
- Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (though new data being added to the log will not cause an alert)
- Review all logs at least daily, including logs for all components of the PCI infrastructure
- Retain audit trail histories for at least one year, with a minimum of three months immediately available for analysis
Monitoring and Testing the Network
System activity logs are critical in preventing, detecting, or minimizing the impact of a data comprise. Logs must be checked daily, at a minimum. Audit trail history must be retained for one year, with a strong recommendation that the most current quarter be readily available in the event of a compromise.
