Policies and Procedures Provided by PROGuard The following are policies and procedures which need to be enforced to ensure PCI DSS compliance. In order to answer yes to the questions and pass the SAQ, it is imperative that you review, understand, and enforce the policies and procedures outlined below. Certain policies require a corresponding Form to be completed to become compliant. These Forms can be downloaded from www.petropci.com on the Forms Web page. If you have any questions, please contact ProGuard at 1-866-427-7297 x295. I. Ensure that all employees have been trained and educated on the policies and procedures. Each employee is to sign the Employee Acknowledgement. (Employee Compliance Form) II. PCI DSS Requirement 3.2 All systems must adhere to the following requirements regarding storage of sensitive authentication data after authorization (even if encrypted). A. POS systems are to be updated with the most current version of software that is provided by the manufacturer which does not store the full contents of any track from the magnetic stripe (located on the back of a card, contained in a chip, or elsewhere). Document all software upgrades on the Processing Equipment Maintenance Form. B. Do not store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions and do not store the personal identification number (PIN) or the encrypted PIN block. III. PCI DSS Requirement 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). A. Truncation is performed by the POS system. B. If using a paper imprinter slip for telephone orders and mail orders and the document is to be stored, then all digits except the last four must be blacked out. 1
IV. PCI DSS Requirement 4.2 Never send unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat). A. When absolutely necessary to send cardholder data, other personally identifiable information, or other sensitive information via messaging technologies (including text or email), appropriate measures are taken to block out or remove the cardholder information, other personally identifiable information, or that the communicated sensitive information is rendered useless. V. PCI DSS Requirement 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. A. Each employee is given their own unique access code for POS or stand alone terminals which are to restrict the fields in which they have access. B. Employees are instructed not to share cardholder information with other employees unless deemed necessary by a supervisor. VI. PCI DSS Requirement 9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. (POS Maintenance Form, POS and Terminal Inspection Form); (Additional For Gas Stations: Pump and Site Inspection Form, Pump Key Form, and Pump Maintenance Form, POS and Terminal Inspection Form) A. Restricted areas are appropriately identified by signage (i.e. authorized personnel only). B. All keys are to be unique to your site. C. A POS/Counter top Maintenance Form is to be completed when maintenance is done to any POS/Counter top terminal. D. Inspect terminals/pos to ensure no unauthorized cables have been attached or the terminal/pos has not been tampered with. For Gas Stations: E. If you accept cards at the pump, a daily pump and site inspection is to be done to ensure pump security. F. Use the Pump Key Form and the Pump Maintenance Form when pumps are accessed or serviced. 2
VII. PCI DSS Requirement 9.6 Physically secure all paper and electronic media that contain cardholder data. (Cardholder Data Form) A. Locate all paper documents (including receipts, notes, reports and faxes) and all electronic storage data such as cds, backup tapes, thumb drives, hard drives and credit/debit card processing machines which contain your customers full credit/debit card numbers. B. Determine if it is necessary to keep any paper or electronic data that contains your customers full credit/debit card numbers. We strongly recommend you do not keep any documents with the 16 digit number unless absolutely necessary. If you do have any on file, please ask yourself, Why do I need to keep this? C. If necessary for business purposes to store this data, the following rules apply: o If it is portable, electronic storage, it must be stored in a locked cabinet. o Any electronically stored data must be password secured. o A Form must be kept documenting how the cardholder data is stored and secured. VIII. PCI DSS Requirement 9.7 Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data. (Media Removal Form) A. All material moved from the secure area is marked confidential, documented on the Media Removal Data Form and transported by a document service such as Fed Ex or U.S. Post Office with a tracking number. IX. PCI DSS Requirement 9.8 Ensure management approves any and all media containing cardholder data that is moved from a secured area (especially when media is distributed to individuals). A. No material containing cardholder data is to leave the premises without the permission of management. X. PCI DSS Requirement 9.9 Maintain strict control over the storage and accessibility of media that contains cardholder data. A. All sensitive data is to be kept in a file or secured area which is accessible by management only. B. The file cabinet or safe containing confidential information is to be locked during business hours as well as after hours. 3
XI. PCI DSS Requirement 9.10 Destroy media containing cardholder data when it is no longer needed for business or legal reasons. (Media Destruction Form) A. Requirement 9.10.1 Shred, incinerate, or pulp hard copy materials so that cardholder data cannot be reconstructed. B. Document the description of the storage data you are destroying, the date and method of destruction on the Media Destruction Form. C. Management is to sign and date the Form and it is to be kept in the Compliance Binder. XII. PCI DSS Requirement 12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers. (Service Provider Form and Service Agreement) A. Maintain a list of service providers who would have access to any POS system or to any credit card data. This also includes those individuals or companies which maintain gas pumps. B. Determine with whom you share your customers cardholder data. Be sure to include all other companies or individuals who are not your employees on the Service Provider Form. C. Maintain a written agreement that includes an acknowledgement that the service provider is responsible for the security of cardholder data the service provider s posses. D. Monitor service providers PCI DSS compliance status by requesting a copy of their annual SAQ. XIII. PCI DSS Requirement 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement. A. Only engage contracted work with industry-approved vendors and check references of such vendors. XIV. PCI DSS Requirement 12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach. A. If a breach occurs, please notify the Petroleum Card Services PROGuard compliance department at 1-866-427-7297 x295. If PROGuard is unavailable, please contact Visa Fraud Investigations and Incident Management group immediately at (650) 432-2978. 4
Once you have read and agree to these policies please print and initial the Policy Acknowledgement SAQ B Form and return the form to PCS. You now have all the policies necessary to continue and take the SAQ. Please keep these policies and forms in a compliance binder at your location for easy access. 5