I. Passwords
A. – must be at least 8 characters, up to 15 characters
B. – must include at least one number in first 8 characters
C. – must include at least one special character in first 8 characters
D. – must include at least one upper and lower case in first 8 characters
E. – cannot be any combination of your first name, last name, or Universal username
F. – must be changed at least every 90 days
II. Servers associated with Card Data Environment (ie., webservers…)
A. – all users must have a unique ID
B. – all default passwords must be changed
C. – all unneeded default user accounts must be deleted or disabled
D. – all sys admin activities must be uniquely attributable to specific admins (ie., use of sudo or domain admin grp)
E. – all users must be immediately deactivated upon termination or leaving employment
F. – servers are located in secured area with physical access strictly controlled (ie., datacenter)
III. Service Providers and Associated Vendors / Software
A. – vendors contracted to process or handle credit card data shall be PCI DSS certified
B. – PCI DSS certifications will be checked annually (https://www.pcisecuritystandards.org/assessors_and_solutions/payment_applications?agree=true)
IV. Vulnerability Scanning and Remediation Policy
A. Quarterly scans of all WWU internal networks with notification and remediation / patching by responsible parties.
B. Discovered vulnerabilities will be patched or remediated within 30 days of discovery.
C. Semi-Annual check of embedded POS operating systems and known exploits
V. Wireless Security
A. Rogue wireless access points shall be shutdown immediately upon discovery.
VI. Data handling and messaging policy
A. Sensitive data such as credit card numbers, expiration dates, security codes, full bank account numbers and related information shall not be transmitted via electronic means such as email and messaging in an unencrypted or weakly encrypted form.
B. In the event that a credit card number or full bank account number (PAN) is written down, it shall be cross shredded immediately after use and not retained in any form.
VII. Access to business / financial management portals
A. Access to business and financial management portals (ie., Cashnet, Xenegrade, iModules, ) shall be tightly controlled and only made available to those with a need to access the information.
B. A list of all such management portals shall be maintained along with an up to date list of all users and their level of access.
VIII. Physical hardware inspection
A. All physical hardware (card swipers, EMV chip readers, PCPOS registers…) shall be inspected daily for any tampering and suspicious damage or changes and shall be reported immediately to supervisors.
B. An accurate, up to date inventory that includes serial numbers must be kept of all point-of-sale (POS) hardware and it must be updated when equipment is changed or retired.
IX. Security Policy Publication and posting.
A. This PCI security policy document must be shared with all personnel associated with the handling and processing of credit card payments and the management of all related systems.
B. This PCI security policy shall be reviewed annually and updated as necessary by the WWU Information Security Office and the Department of Business Finance and Accounting.
X. Network and segmentation diagrams
A. Network and segmentation diagrams shall be checked annually for accuracy and completeness.
B. Any changes will be reviewed by the Information Security Office and filed in the appropriate document store.
XI. Firewall and Router configuration standards
A. The Information Security Office shall approve all modifications to the border firewall rules.
B. Network Engineers will perform all modifications to the border firewall rules.
C. The Information Security Office shall specify router ACL’s for segmented vlans.
D. Network Engineers will perform all modifications to router ACL’s.
E. All router and firewall modifications are logged to the centralized logging facility.
F. Management of routers and firewall shall only occur from sanctioned workstations and networks.
G. Firewall and router rules shall be reviewed and updated (if necessary) at least every 6 months.
XII. Centralized logging, monitoring and alerting in relation to PCI environment
A. Alerts generated via centralized logging shall be assessed as soon as possible within at least a 48 hour time-frame by the Information Security Office
B. Direct access to the centralized logging server shall be monitored and log integrity shall be maintained.
XIII. Risk assessment review and strategic planning for PCI environment
A. An annual risk assessment review shall be performed to note any changes to PCI environment and plan for improved security practices.
B. Outdated documentation and policy shall be removed from the current repository.
Notes: June 2019
Per. Req. 2.5, Vendor defaults and security settings must be reviewed and changed upon installation.
This document needs to be incorporated into ITS Standards and Policy group’s work.