Georgetown University PCI DSS Handbook

Transcription

1 Prcedures fr Payment Card Prcessing: Guidance fr Departments and Card Prcessrs March 2017

2 Table f Cntents Sectin 1: Missin Statement... 4 Sectin 2: PCI DSS Overview... 4 Sectin 3. University Plicies and Prcedures... 4 Sectin 4. Card Payment Service Centers... 4 Sectin 5. General Requirements & Prcedures... 5 Sectin 6. Financial Prcedures... 9 Sectin 7. Annual PCI Security Audit... 9 Sectin 8. Applying t Take Card Payments Sectin 9. Enfrcement Sectin 10. Glssary Sectin 11. Plicies Ver. 4.5 March

3 Revisin Histry Date Versin Authr Descriptin 2/23/ Judith Huse Initial Draft 3/16/ Judith Huse Revisin, with Treasury Operatins 5/18/ Jessica Pierce Revisin, with Treasury Operatins 9/18/ Judith Huse Revisin, with PCI Wrking Grup, t reflect final decisins abut GU acceptable practices 11/4/ Judith Huse Revisin t reflect Service Center structure 1/12/ Judith Huse Separatin f Crdinatr and Department prcedures 5/3/ Jessica Pierce Pst QSA Mdificatins 11/11/ Jessica Pierce Annual Review/Update f Dcumentatin 3/2/ Jessica Pierce Clarificatin Prcess and Retentin Requirements in Sectin 7. Ver. 4.5 March

4 Sectin 1: Missin Statement The purpse f Gergetwn s PCI prcedures is t prcess credit card transactins in a manner that prtects cnfidential custmer data using industry best practices, by well-trained University persnnel, and ensure that GU partners als prtect custmer data apprpriately. Sectin 2: PCI DSS Overview PCI DSS stands fr Payment Card Industry Data Security Standard. It is nt a gvernmental regulatin, but a cntractual bligatin impsed by the payment card cmpanies in return fr allwing Gergetwn t accept credit and debit card payments. The requirements f PCI are aimed at prtectin f Cardhlder Data (CHD), in particular the Persnal Accunt Number (PAN). The requirements are quite stringent, and are nt subject t negtiatin. The ffice f Treasury Operatins within Financial Affairs versees the PCI prcess. The University Infrmatin Security Office prvides supprt t Financial Affairs by establishing standards fr securely handling Cardhlder Data, by cnducting reviews and risk assessments, and by assisting with remediatin effrts as needed. Sectin 3. University Plicies and Prcedures In cmpliance with the requirements f PCI, Gergetwn University has created the Payment Card Industry Data Security Standard (PCI DSS) Plicy (FA 192). The purpse f this plicy is t secure payment card transactin data in rder t prtect accunt and persnally identifiable infrmatin prvided by custmers using credit r debit cards fr business with Gergetwn University. It defines and describes the respnsibilities and required practices fr all members f the University cmmunity with respect t the use, strage, prcessing and retentin f payment card data (e.g. credit cards, debit cards) t cnduct University business. The University Infrmatin Security Office publishes the PCI DSS Security Plicy, which describes the security measures required fr PCI cmpliance. The plicy is published n the UISO web site, security.gergetwn.edu. Sectin 4. Card Payment Service Centers In rder t effectively manage, cntrl, and supprt PCI cmpliance, the University has established campus based Service Centers, thrugh which all card prcessing and PCI cmpliance is administered. Each Campus is respnsible fr managing credit card prcessing and PCI cmpliance thrugh central Service Centers. Service Centers are required t assess, mnitr, and where necessary reassess the prcedures f all departments that accept card payments n behalf f the Center. The prcedures fr Center Crdinatrs and staff are fund in the PCI DSS Handbk fr Service Center Crdinatrs. Respnsibilities f Service Centers Include: Card Prcessr and Department Supprt and Oversight Equipment Oversight and Cntrl Ver. 4.5 March

5 Cmpliance Mnitring and Oversight Transactin Review, Jurnal Management, and Recnciliatin Annual PCI Audit Annual Review f Center departments Management f Applicatins fr Acceptance f Payment Cards Service Centers Main Campus Central Service Center Student Affairs Schl f Cntinuing Studies SFS-Q Medical Center Central Service Center Law Center Central Service Center CLE University Services Central Service Center Advancement Office f Billing & Payment Services Sectin 5. General Requirements & Prcedures All individuals wh are engaged in payment card prcessing are required t adhere t the Prcedures described here, as well as thse dcumented in the Service Center and department business prcesses. REQUIREMENTS: PCI DSS Training: Every emplyee wh meets the criteria fr card prcessr, as defined by Gergetwn University, is required t cmplete annual PCI training, and t present evidence f successful cmpletin t the Service Center Crdinatr. Every authrized user must annually accept ntificatin f the PCI-related plicies by cmpleting the frm: Only persns wh have cmpleted all required training will be permitted t handle card data. Fulfillment f the training requirement is lgged in emplyee s GMS recrd. Business prcess and business cycle: Every department is required t maintain with their Service Center dcumentatin f the business prcess and business cycle fr handling payment card data. This prcess is t be reviewed annually as part f the PCI audit requirement Adherence t these prcedures is mandatry Changes f prcedure must be dcumented immediately and prvided t the apprpriate Service Center Crdinatr Segregatin f Duties Each department engaged in payment card prcessing must establish segregatin f duties with regard t payment card prcessing, the prcessing f refunds, and recnciliatin f revenue. General Prcedures: Acceptable methds fr receiving payment card data: Ver. 4.5 March

6 Pstal mail and in-persn are permitted is nt permissible When cardhlder data is received by the prcessr shuld: Ntify the sender that it cannt be accepted; Direct the sender t the apprpriate methd, and Destry the data. Phne and Fax are permitted nly with a dcumented exceptin frm Financial Affairs/UISO. Receipt f cardhlder data via these methds requires a Plain Old Telephne Service (POTS) line prvisined by Verizn and installed and maintained at the expense f the department. The standard phne/fax lines at the university are Vice Over Internet Prtcl (VOIP) and are nt permitted fr transmissin f such data. Strage Card data may nt be stred, in whle r in part, n electrnic media. Where apprved, masked card data n paper may be stred in lcked strage fr the minimum required by the business prcess, r fr the duratin f the retentin perid, whichever is shrter. Stred card data n paper must effectively mask the PAN except fr the last 4 digits Black marker is insufficient masking Physical remval (cutting it ff the frm) is required prir t strage Cmpliance with University financial prcedures is mandatry. Staff Changes Changes in staff engaged in prcessing payment cards must be reprted t the Service Center Crdinatr immediately All designated card prcessrs must successfully cmplete the mandatry PCI DSS training befre beginning t handle cards r card data. New emplyees have 30 days t cmplete training. Secure Envirnment Departments must maintain an apprpriately secured envirnment at all times Secured Devices All card prcessing devices within a department s cardhlder data envirnment must be apprpriately secured. Machines that are left unattended must be lcked r lgged-ff. Nn-cmputer devices must never be left unattended in an area where unauthrized individuals may have access t the device. Patching and Security Updates Each department engaged in payment card prcessing must cmplete all security enhancements t prcessing systems as required by Treasury Operatins/Internal Audit/UIS. All vendr supplied security patches t systems must be applied as sn as pssible, based n risk factrs, but n later than 30 days frm issue date. Changes t the Prcessing Envirnment Ver. 4.5 March

7 The Service Center, in cnjunctin with UISO, must apprve any changes t the departmental prcessing envirnment, including any sftware/hardware additins, prir t purchase. Nncmpliance will result in sanctins, as described elsewhere in this dcument. Audit Treasury Operatins, UISO, and/r internal/external audit staff will perfrm regular internal assessment f departments systems, security plicies and cntrls related t University payment card prcessing. Cmpliance Each department engaged in payment card prcessing must cperate with all required reprting and audits, including full cmpliance with PCI DSS, University plicy, and all ther industry security requirements Nncmpliance will result in sanctins, as described elsewhere in this dcument. Cntracts & Agreements Cntracts with PCI cmpnents must be submitted t the Service Center Crdinatr fr review. The Crdinatr will wrk with Treasury Operatins and UISO n the apprval prcess. Treasury Operatins and UISO must apprve all new cntracts and cntract renewals related t payment card prcessing prir t executin. All such cntracts must cntain cntract language apprpriate t PCI DSS, as determined by Office f General Cunsel. Dedicated PCI Facility The facility must be secured at all times, with lcked drs and cntrlled access (keycard, key, etc.) Only authrized facility staff may remain in the facility unescrted. Devices must be lcked dwn Devices must be scanned n a regular schedule, but at least quarterly. Visitr access must be strictly limited, and apprpriately cntrlled: Visitrs must be signed in, present pht ID, and recrd purpse and persn being visited. Visitrs must receive badges r ther devices that visually identify them as such Visitrs must be escrted at all times within the facility Visitr lgs must be retained fr a minimum f 3 mnths TERMINAL (POS) prcessing: Terminal Management: The Pint f Sale (POS) device must be an apprved PNC issued terminal. Treasury Operatins manages the acquisitin, tracking, and return f all POS devices. Service Center Crdinatrs shall make requests fr additinal devices, reprt damaged r inperative devices, and return unneeded devices t Treasury Operatins fr dispsitin. Only Treasury Operatins may lease r purchase POS devices thrugh PNC. Each POS device must be stred in a lcked, secure lcatin except when actively used. When in use the device must be cnnected t a nn-gu POTS line prvisined by Verizn and installed and maintained at the expense f the department. Apprved devices include FD130 r FD130Du with FD-35, FD400 r ClverMbile (see appendices fr prduct infrmatin n each apprved device) Ver. 4.5 March

8 Payment Prcessing (Card Present): Payment is Card Present (the cardhlder is physically present and presents r swipes the card him r herself.) Terminal Card Present 1. Press ENTER (green key n terminal) r tuch screen t light up Main Screen display. 2. Press CREDIT/DEBIT 3. Press SALE 4. Key $ amunt and press ENTER 5. At the prmpt, swipe the credit/debit card then press ENTER 6. Terminal then cmmunicates with hst (PNC) fr apprval 7. When transactin is apprved a merchant receipt with masked cardhlder data autmatically prints ut fr the patrn t sign. Remve this receipt frm the terminal. This receipt will be stapled t the cash register transactin receipt. 8. Press YES t print a custmer receipt t give t the patrn. 9. Press CLEAR r ENTER t return t the Main Screen. Payment Prcessing (Card Nt Present) Payment is Card Nt Present (phne r USPS mail nly). Credit Card Payment Authrizatin (CCPA) frms may be used t cllect and prcess bth mail and phne transactins. Payment Prcessing: The paper frm and phne methd uses the department Credit Card Payment Authrizatin (CCPA) frm. Either the cardhlder will cmplete a paper frm including cardhlder data (CHD), r a staff member will use the same frm t recrd infrmatin frm the caller, including the cardhlder data (CHD). The CHD is recrded n the bttm sectin f the frm. CCPA frms must be frmatted s that the cardhlder data is at the end f the frm, and can be remved nce the transactin is cmpleted. Terminal Prcessing After the frm is cmpleted the card transactin payment is prcessed using the terminal, fllwing the steps belw: 1. Press 1 buttn (Credit) 2. Press 1 buttn (Sale) 3. Key $ amunt, i.e. if five dllars, then key-in: 500 (decimal autmatically inserted) 4. Press, enter (green buttn) 5. Key custmer s credit card number and press enter (green buttn) 6. Key Expiratin Date (fr instance 0415) and enter (green buttn) 7. Chse 6 buttn fr NO 8. Base amunt and tax amunt screen, skip by pressing enter (green buttn) 9. Tax Exempt? Press 4, fr Yes 10. Custmer Cde? Press enter (green buttn) 11. Address skip by pressing enter (green buttn) 12. Zip Cde - skip by pressing enter (green buttn) 13. Prcessing Dialing/Transmitting/Receiving (Terminal cmmunicates with the hst fr apprval) 14. Once the merchant masked receipt is printed, remve receipt frm terminal 15. Print custmer receipt cpy? Press 4 fr Yes 16. Press enter (green buttn) nce custmer receipt has printed Ver. 4.5 March

9 17. Press red buttn fr CLEAR r get the start screen 18. Separate the CHD sectin frm the CCPA frm and immediately destry by shredding. E-Cmmerce E-cmmerce refers t the prcess f cnducting transactins ver a web site designed fr payment prcessing. Gergetwn requires that all e-cmmerce activities be cnducted using apprved hsted sites. N in-huse e- cmmerce develpment is permitted. Bth Treasury Operatins and the Service Center must apprve e- cmmerce vendrs prir t initiating a cntract. E-cmmerce transactins are cnducted by the custmer directly, with n intermediatin between the custmer and University emplyees. University emplyees may nt, under any circumstances, enter cardhlder data int an e-cmmerce site n a custmer s behalf. In sme cases, selected staff will access custmer infrmatin frm the site, acting as a nn-cnsumer user (administratr). Each such nn-cnsumer user must: Use nly an accunt specific t the individual (n shared IDs) Change the passwrd n that accunt at least every 90 days Printing, dwnlading, r therwise capturing and string cardhlder data n University devices r netwrks is nt permitted under any circumstance. Sectin 6. Financial Prcedures Card Prcessing ClientLine & AmexOMS are nline reprting services that prvide timely service center payment prcessing infrmatin. ClientLine prvides prcessing infrmatin fr Visa, MasterCard, and Discver. AmexOMS prvides prcessing infrmatin fr American Express. Users must lgin t these services at least nce every 30 days r lse access. Cntact the Service Center t add r remve users. Prcedure fr Credit Card Terminals and e-cmmerce Each Service Center and department is required t regularly review card activity using ClientLine/AmexOMS. Each Service center must sign in at least every 30 days Failure t d s may disable the ClientLine/AmexOMS accunt. Shuld this ccur, cntact yur Service Center fr assistance. Terminal Batch Out Card Prcessrs are required t batch ut at the end f each sessin, r minimally daily. Center Crdinatrs must mnitr fr cmpliance. Service Centers are required t reprt the initial batch fr each terminal t Treasury Operatins, by t pci-supprt@gergetwn.edu Sectin 7. Annual PCI Security Audit All Centers will be audited fr PCI cmpliance by UISO and Treasury Operatins n at least an annual basis. Each Center Crdinatr must maintain the PCI Merchant Annual Audit Wrkbk as current. Departments must Ver. 4.5 March

10 prvide the relevant dcumentatin t the Center Crdinatr in a timely manner. The required dcumentatin is described belw 1. Authrized Card Prcessr List: a. Prvide a list f all authrized (trained) Card Prcessrs, including any ecmmerce r terminal access authrizatin. b. This list must be kept current at least n a mnthly basis 2. Prcess & Retentin a. A departmental business prcess descriptin based n the standard prcess must be created and maintained. It addresses: i. Hw credit card data is received, prcessed, stred, and destryed fr each payment channel ii. Specifics f strage and destructin prcedures iii. Fr E-Cmmerce, website URL, hsting cmpany, payment gateway, and apprved ecmmerce prvider(s) iv. Duratin f business cycle v. It must cntain a quarterly prcess fr audit f cardhlder data t identify and securely delete stred cardhlder data that exceeds defined retentin requirements. 3. Terminal (POS) Device Inventry a. If the department has ne r mre terminals maintain the Terminal (POS) Inventry Sheet. Recrd the identifying infrmatin, lcatin infrmatin, and wnership. b. Departments must cnduct a mnthly review f all devices t ensure that n tampering has ccurred, and lg each device inspectin. The Tampering Audit lg shuld be prvided t the Center c. Center Crdinatrs must track if a POS device is brrwed r mved and fr what purpse. Upn return t its strage place, a Tamper Audit shuld be perfrmed. 4. E-Cmmerce a. If the department uses ne r mre E-Cmmerce sites, the department must cmplete the E-Cmmerce Site Inventry Sheet. 5. Data Management Lg a. T be maintained if stred data has been shared with thers, mved t a different lcatin, r destryed 6. Incident Lg a. Fr any security events r incidents related t payment card data, the Incident Reprting Lg sheet must be cmpleted. Include a summary f the event, impact, scpe, and reslutin. Include cpies f the incident reprts in the audit packet. 7. Dedicated PCI Facilities a. GU has few such facilities. Fr any dedicated PCI Facility, the Dedicated PCI Facility Staff Sheet must be maintained t recrd everyne wh is authrized fr access t the facility, with authrizatin and cntact infrmatin. b. Cmplete Visitr Lgs fr the relevant perid must be included in the Audit Packet. c. A Key Lg must be maintained fr the cntrl f keys fr the facility. 8. Service Prvider List a. All Service Center Crdinatrs must identify and maintain a list f all third parties wh prcess credit card payments n their behalf. If applicable, this list f third parties must include a dcument destructin cmpany wh handles shredding f all credit card infrmatin. A dcument destructin lg must be kept as part f the audit wrkbk. 9. Data Destructin Lg a. If a third party handles dcument destructin f cardhlder data, it must be lgged in the data destructin lg. 10. Desktp Audit a. Card prcessrs may be subject t an annual desktp audit f the university cmputer t assure prper cnfiguratin, patching, security sftware, etc. is in place. Ver. 4.5 March

11 Sectin 8. Applying t Take Card Payments Departments wishing t accept card payments must first btain the PCI applicatin packet. This cntains the Payment Card Prcessing Applicatin and guidance n cmpleting the prcess. The Campus Service Centers will make the applicatin packet available, and will assist in cmpleting the frms as necessary. The Service Center Crdinatrs will make the initial determinatin f eligibility fr card prcessing based n the type, number f transactins, and dllar amunt indicated, and the apprpriateness f the activity. If the request is deemed apprpriate, based n the criteria fund in sectin 4, the Center Crdinatr will determine the apprpriate reslutin. When a Center Crdinatr accepts a request, a cpy f the applicatin frm and accmpanying dcuments is frwarded t Treasury Operatins. Treasury Operatins reserves the right t audit accepted applicatins as apprpriate. The Payment Card Prcessing Applicatin and guidance n cmpleting the applicatin prcess are available separately at Sectin 9. Enfrcement Every individual wh handles r prcesses credit cards r cardhlder data is required t remain fully cmpliant with the requirements f PCI DSS at all times. Departments r individuals that fail t fully cmply with the prvisins f the Service Center Agreement, r with the prvisins f University plicy and its assciated prcedures, are subject t suspensin r terminatin f payment card prcessing privileges. There are n exceptins. Departments are respnsible fr any financial lss incurred by the University resulting frm inadequate cntrls r insufficient adherence t the PCI DSS, University plicy and ther industry security requirements. Departments r individuals fund t be nn-cmpliant are required t prmptly cme int full cmpliance t retain the ability t accept card payments. When a cmpliance issue is identified, the Center Crdinatr will ntify the department and relevant card prcessrs. This Warning f Nn-Cmpliance will specify the areas f nncmpliance, and establish the date by which the department must demnstrate full cmpliance. Failure t achieve full cmpliance within that perid will result in a Final Warning f Nn-Cmpliance, with a maximum duratin f tw weeks. Warnings f Nn-Cmpliance are cpied t Treasury Operatins. Failure t cmply with the Final Warning will result in referral t Treasury Operatins fr final dispsitin. Dispsitin may include suspensin r revcatin f payment-prcessing privileges. Ver. 4.5 March

12 Sectin 10. Glssary Acquirer Authrized User Card prcessr Cardhlder data (CHD) Center Dedicated PCI Facility E-Cmmerce Masked merchant receipt Merchant ID PAN Payment Applicatin Payment card PCI Prtable (Remvable) Electrnic Media POS Device ROC Security Event Separatin f Duties Service Prvider Service Center Terminal Als referred t as Merchant bank, acquiring bank, r acquiring financial institutin. Entity that initiates and maintains relatinships with Merchants fr the acceptance f payment cards. The acquiring bank fr GU is PNC. A member f the University cmmunity wh has been identified as a card prcessr, and has successfully cmpleted the mandatry training. Any member f the University cmmunity wh accepts, prcesses, stres, reviews, r handles cardhlder data n behalf f a Center. The full Primary Accunt Number (PAN) r the full PAN alng with any f the fllwing elements: Cardhlder name, Expiratin date, and Service cde. Campus based units created t effectively manage, cntrl, and supprt PCI cmpliance in the departments under the Center. Space whse primary purpse, r within which ne f the primary activities, is the prcessing f cardhlder data, such as a call center. Cmmercial transactins cnducted ver the Internet Receipt which displays nly the last 4 digits f the card number Number used t identify the University unit prcessing each transactin. Full Primary Accunt Number A sftware applicatin that stres, prcesses, r transmits cardhlder data as part f authrizatin r settlement, where the payment applicatin is sld, distributed, r licensed t third parties Credit r debit card Payment Card Industry Data Security Standards (als called PCI DSS) Media that stre digitized data and which can be easily remved and/r transprted frm ne cmputer system t anther. Examples f remvable electrnic media include CD-ROM, DVD-ROM, USB flash drives and remvable hard drives. Als called Terminal. Authrized device used t prcess payment card transactin. Such transactins may be Card Present r Card Nt Present Acrnym fr Reprt n Cmpliance. Reprt dcumenting detailed results frm an entity s PCI DSS assessment. An ccurrence cnsidered by an rganizatin t have ptential security implicatins t a system r its envirnment. In the cntext f PCI DSS, security events identify suspicius r anmalus activity Practice f dividing steps in a functin amng different individuals, s as t keep a single individual frm being able t subvert the prcess Any cmpany that stres, prcesses, r transmits cardhlder data n behalf f anther entity See Center See POS Device Ver. 4.5 March

13 Sectin 11. Plicies PCI DSS POLICY: ustry_data_security_standard_pci_dss_-_june_2016.pdf PCI SECURITY POLICY : FD130 FD130 Du FD410 ClverMbile Appendix: Apprved POS Device Prduct Infrmatin