Information about Credit Card Processing & "Payment Card Industry Data Security Standard (PCI-DSS)"

Background:

The Payment Card Industry (PCI) has created requirements for protecting payment card information, including information in computers which process and store credit card and other payment card information. These requirements became effective June 30, 2005 and the University must adhere to these standards to limit its liability and continue to process payments using payment cards.

Scope:

All computers and electronic devices at the University of Minnesota involved in processing payment card data are impacted by the PCI Data Security Standard. This includes servers that store payment card numbers, workstations that are used to enter payment card information into a central system (e.g., ordering tickets over the phone), and any computers through which the payment card information is transmitted.

The University and all units that process payment card data have a contractual obligation to adhere to the  PCI Data Security Standard (PCI-DSS). The Payment Card Compliance Office and the Office of Information Technology (OIT) are working with departments to assure compliance.

The following actions are required to meet the Payment Card Industry requirements.

For Servers:

• Contact the Payment Card Compliance Office to notify them of new merchants or changes to credit card processing for existing merchants.
• Report servers to OIT Security using the Critical Server form. Include the merchant number in the software description area and the merchant manager as the Owner on the form.  Report all devices involved in credit card processing, such as production, test/development, backup servers, domain controllers, load balancers.
• Apply security settings to servers and other operating system platforms similar to the settings in the QuickStart Basic and Level-2 for desktops (www.quickstart.umn.edu). This includes installing Antivirus software with Anti-spyware and adware software.
• Review what software is running on the computer and remove software not needed.  Each open port must have a valid business reason. Complete the Firewall Security Policy/Rules Worksheet below and send to OIT Security to begin the process of setting up the secure credit card vlan.
• All servers involved in credit card processing need to be in a secure credit card vlan.  OIT Security will work with your area to set this up.  The Firewall Security Policy/Rules Worksheet will be used to determine the secure vlan policy for your servers.  See below for servers using an approved redirect product.
• See Securing Private Data Standard for additional steps.
• Internal vulnerability scan will be run on a regular basis using the Qualys internal scanner. Technical contacts are expected to review the scan results and fix or take steps to mitigate the risk. If the vulnerability is a false positive or you have taken other steps to mitigate the risk, you must contact OIT Security.
• External scans by an approved PCI scan vendor are required to be run on a regular basis. Technical contacts are expected to review the results and fix or take steps to mitigate the actual or potential high risk vulnerabilities identified on the scan report.  Documentation on false positives or information on the other steps taken to mitigate the risk must be sent to OIT Security.  The documentation of false positives will be reviewed by the approved PCI scan vendor.  See below for servers using an approved redirect product.
• Review the PCI Data Security Standard (PCI-DSS) and work with your area to meet the requirements. The PCI-DSS requirements are control objectives that need to be met by all systems involved in credit card processing. 
• Complete the PCI Self-Assessment Questionnaire for your area.
• Fixed IP address or static DHCP must be used for computers involved in credit card processing.
• Use of wireless for credit card processing is not allowed without prior approval from the Payment Card Compliance Office.  For departments that must use wireless, see the PCI Self-Assessment Questionnaire for how to secure.
• Web servers must run SSLv3 with strong encryption enabled. SSLv2 must be disabled.

• Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuiteALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

For Apache/apache_ssl include the following line in the configuration file (httpsd.conf):

SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

• For Microsoft IIS, see How to disable SSLv2 on IIS : Microsoft Knowledge Base Article - 187498

• Use a secure deletion program to wipe the disk drive when terminating credit card processing.  The server will not be removed from the OIT Security Critical List until OIT Security has received verification that the disk and all back up media have been securely wiped using secure deletion software or physical destruction of the media.
• Servers using an approved redirect product do not need to be in a secure credit card vlan and do not need an external vulnerability scan by an approved PCI scan vendor.  Contact the Payment Card Compliance Office  for a list of approved redirect products.

For Desktops:

• Contact the Payment Card Compliance Office to notify them of new merchants or changes to credit card processing for existing merchants.
• Report desktops/devices (including printers) to OIT Security using the Critical Desktop Identification form (PDF or Word version). Include the merchant number in the Important software applications area and merchant manager as the Owner on the form.
• Apply the security settings in the QuickStart Basic and Level-2 Wizards (www.quickstart.umn.edu) to Windows desktops. This includes installing Anti-virus software with Anti-spyware and adware software.  For Mac OS X, see Guideline for Mac OS X Desktops. Similar settings should be applied to other operating systems.  Send QuickStart screen prints to the Payment Card Compliance Office.  This needs to be completed before the desktop is moved in the secure credit card vlan.
• Use the proxy to download operating system updates and anti-virus live updates. See How to use the Proxy.
• Review what software is running on the computer and remove software not needed.  General purpose web browsing and e-mail are not allowed. Each open port must have a valid business reason. Complete the Firewall Security Policy/Rules Worksheet below and send to OIT Security to begin the process of setting up a secure credit card vlan.
• All desktops/devices (including printers) involved in credit card processing need to be in a secure credit card vlan.  OIT Security will work with your area to set this up.  The Firewall Security Policy/Rules Worksheet will be used to determine the secure vlan policy for your desktop/device.
• If disk encryption is needed, use a product like Truecrypt for encrypting individual files.
• See Securing Private Data Standard for additional steps.
• Vulnerability scans will be run on a regular basis. Technical contacts are expected to review the scan results and fix or take steps to mitigate the risk. If the vulnerability is a false positive or you have taken other steps to mitigate the risk, you must contact OIT Security.
• Review the PCI Data Security Standard  (PCI-DSS) and work with your area to meet the requirements. The PCI-DSS requirements are control objectives that need to be met by all systems involved in credit card processing. 
• Complete the PCI Self-Assessment Questionnaire for your area.
• For Windows desktops, upgrade to Windows XP Service Pack 2 and use the Windows Firewall.  If unable to upgrade Windows 2000 to Windows XP, install a software firewall (e.g. ZoneAlarm, Symantec firewall,etc).
• Fixed IP address or static DHCP must be used for computers involved in credit card processing.
• Use of wireless for credit card processing should not be allowed.  For departments that must use wireless, see the  PCI Self-Assessment Questionnaire for how to secure.
• Use a secure deletion program to wipe the disk drive when terminating credit card processing.  The device will not be removed from the OIT Security Critical List until OIT Security has received verification that the disk and all back up media have been securely wiped using secure deletion software or physical destruction of the media.

Frequently Asked Questions

What form should be completed to set up a Firewall Security Policy (firewall rules) for servers and desktops/devices involved in credit card processing?
Complete one of the following forms:

• Firewall Security Policy/Rules Worksheet (PDF)
• Firewall Security Policy/Rules Worksheet (Excel spreadsheet)

Why do I need to complete a Firewall Security Policy/Rules Worksheet?

The Firewall Security Policy/Rules Worksheet documents the business reason for each open port and documents the IP addresses that can access the servers, desktops or devices protected by the secure credit card vlan.  The Firewall Security Policy/Rules Worksheet is used to configure your secure credit card vlan.

Will admins be able to get the logs of connections blocked by the ACL's for the secure credit card vlan or FWSM's via syslog?
Not initially.

What group will be managing the ACL's and FWSM's for the secure credit card vlan?
OIT will have to approve all changes. Send change requests to OIT Security at abuse@umn.edu

Can I run my own firewall?
Yes, firewalls offer another layer of defense. ACLs will still be required.

Will the ACLs for the secure credit card vlan drop packets based on protocol?
Yes, but do not anticipate doing this.

Can other servers be put in the secure credit card vlan?
For management reasons, this will not allowed.

What traffic will be allowed for all vlans?
DNS to the two main nameservers and NTP will be allowed by default, as will ICMP traffic for network maintenance. Access will be allowed for OIT Security scanners.

What are some tips on how to secure the Web browser?

• General purpose Web browsing and e-mail will not be allowed on desktops involved in credit card processing. However, since some people are entering credit card information via secure Web pages (i.e., YourPay), it makes sense to think about how to configure your Web browser securely.
• If possible, use Firefox instead of Internet Explorer.
• For Internet Explorer, it is recommended that the Internet zone be set to "High" security and that business sites (either specific URLs or wild cards such as https://*.yourpay.com ) be set up at medium security in the Trusted Zone. This will allow the business sites to function but help secure other sites. For more information on how to do this you can see Microsoft's step-by-step directions at http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx
• Firefox does not have the same concept of zones that Internet Explorer does but still has many useful features. Some recommended features are:
• • Check weekly for updates (should be turned on by default but good to check)
  • Allow cookies from the originating Web site only
  • Block popups and allow sites that need popups by using the allowed sites button
  • Do not have Firefox remember your passwords
  • When starting downloads have it open the download manager (this is also the default
• On all desktops, it is very important that BOTH QuickStart Basic and QuickStart Level-2 settings are applied (www.quickstart.umn.edu).

Resources & Links

• See the  PCI Security Standards Council web site for the following:
  • Payment Card Industry (PCI) Data Security Standard (PCI-DSS)
  • Understanding the Intent of the PCI Requirements (PDF) February 2008
  • PCI Self-Assessment Questionnaire 
  • PCI Security Scanning Procedures (PDF)
     
• University's Securing Private Data Standard
• QuickStart Tools- Basic and Level-2 Security Wizards
• Encrypting Stored Data
• Secure Data Deletion
• Information on Accepting Credit Cards - Payment Card Compliance Office
• Authorize.Net SIM Solution (PDF)- For e-commerce web sites
• Minnesota Law - Plastic Card Security Act