Security Requirements & Costs

---

Forms for Security Access:

• WIAN Security Authorization Request Form (PCI Active Directory)
• Security Checklist Implementing Third Party Processing

Change Management Procedure:

• Significant Change Definition and Requirements
• ITS Change Policy
• Roles and Procedures for Change Management
• How to Enter a Request for Change (RFC)

Incident Reporting – What to do in Case of a Breach:

• DO NOT turn off or unplug the computer or terminal – there may be important forensic evidence that can be lost by turning it off or unpluging the equipment.
• DO NOT continue to use the computer or terminal that may have been compromised!!!
• Immediately contact Income Accounting – 801-585-5686
• Income Accounting will contact Wells Fargo and instruct you on what to do next.
  • See Visa’s Incident Response Instructions so you will know what to expect.
  • Income Accounting will take care of all reporting information. Please be willing to provide all the information asked for.  See Department Procedure 12.9 – Incident Response.

Requirements & Costs for Processing Credit Cards – by Mode:

There are many ways to process payment card transactions.  Each mode of processing has specific security requirements, many of which have associated costs* in order to implement and maintain the security.  The applicable requirements depend on the mode of processing.  A glossary of PCI DSS terms is found here.  To get the actual costs, please contact Income Accounting and Student Loans.

The full list of requirements is as follows:

• *Anti-virus:  Program or software capable of detecting, removing, and protecting against various forms of malicious software (also called “malware”) including viruses, worms, Trojans or Trojan horses, spyware, adware, and rootkits.
• *Firewalls: Hardware and/or software technology that protects network resources from unauthorized access. A firewall permits or denies computer traffic between networks with different security levels based upon a set of rules and other criteria.
• *File Integrity Monitoring: Technique or technology under which certain files or logs are monitored to detect if they are modified. When critical files or logs are modified, alerts should be sent to appropriate security personnel.
• *Logging: Also referred to as “audit trail.” Chronological record of system activities. Provides an independently verifiable trail sufficient to permit reconstruction, review, and examination of sequence of environments and activities surrounding or leading to operation, procedure, or event in a transaction from inception to final results.
• *Penetration Testing: Penetration tests attempt to identify ways to exploit vulnerabilities to circumvent or defeat the security features of system components. Penetration testing includes network and application testing as well as controls and processes around the networks and applications, and occurs from both outside the environment (external testing) and from inside the environment.
• *Vulnerability Scanning:  A scan of system components that detects actual or potential flaws or weaknesses which, if exploited, may result in an intentional or unintentional compromise of a system.
• *Identity Finder Scanning: A scan of all PCI computers and system components that identifies cardholder data in memory or other programs that could be exploited.
• *Multi-Factor Authentication:   Method of authenticating a user whereby two or more factors are verified. These factors include something the user has (such as hardware or software token), something the user knows (such as a password, passphrase, or PIN) or something the user is or does (such as fingerprints or other forms of biometrics). Often used for remote access or access to specific PCI devices.
• Department Procedures:  Each department must maintain and follow PCI DSS procedures for processing, accessing, and storing cardholder data.  A standardized template is available for each department.   Any additional procedures may be added and maintained by the department.
• Data Flow Diagram:  A diagram showing how cardholder data flows through an application, system, or network.  The department’s System Administrator is responsible for updating the data flow diagram if changes are made to any of the system components or IP addresses.
• Assets Inventory: A list of system components that are used to process payment card transactions.  System components include, and are not limited to:  dial-up credit card terminals, IP-credit card terminals, desktop computers, servers, load balancers, jump-boxes, USB card readers, end to end encryption devices.  All device models, serial numbers, machine names, IP addresses, domain names, and application versions, operating systems, and component locations must also be included in the assets inventory.
• Network Diagram: Network diagrams pertain to all processing methods using the internet.  A Network Diagram is a diagram showing system components and connections within a networked environment. The department’s System Administrator is responsible for updating the data flow diagram if changes are made to any of the system components or IP addresses.
• WIAN PCI Active Directory: Users with access to PCI devices and other components must log into these devices and components through the dedicated PCI Active Directory.   Access is based on approval from Income Accounting and Student Loan Services.
• Training & List of employees  with PCI Access: Training must be completed annually by all employees that handle cardholder data. A list of employees with access to cardholder data with their training, hire date, termination date, background check status, and other information is kept by the department, and updated as needed.
• Third Party Attestation of Compliance:  It the responsibility of each merchant to ensure that the Third Party Vendor supplying the payment card services are keeping up their own PCI Compliance.
• *Annual Assessment by a Qualified Security Assessor:  The University is required to complete a PCI DSS Report on Compliance annually.  A Qualified Security Assessor is hired by the university to complete the assessment of the organization’s compliance and complete the report.  Each merchant entity will be financially responsible for their portion of the annual assessment.

 

Please see below for the different modes of payment card transactions and the security requirements that incur costs annually.

Stand Alone Terminals:  Stand-alone terminals use an analog phone line for communication.  This is the most inexpensive option.  There are no specific security requirements with associated costs, other than an annual assessment for policies, procedures, and employee training.

• Annual Assessment by a Qualified Security Assessor

 

IP Terminals:  An internet connection is used for communication to authorize and settle payment card transactions.  Security requirements are as follows:

• Annual Assessment by a Qualified Security Assessor
• Static IP address behind a firewall within the PCI environment
• Monthly vulnerability scans for each IP address
• Antivirus Monitoring
• File Integrity Monitoring
• Identity Finder

 

End to End Encryption Devices:  End to End encryption devices are the preferred method of processing transaction using a computer software or internet service through a PCI Certified Service Provider.  End to End Encryption encrypts the card holder data within the device before it passes through your computer or servers.  The cardholder data is only decrypted when it reaches the payment gateway used for authorizing and settling the transactions.  End to End encryption that has been assessed by the PCI Council is called Point to Point Encryption. Security requirements are as follows:

• Testing upon implementation for un-encrypted cardholder data and other sensitive data
• Annual Assessment by a Qualified Security Assessor

 

Third Party Software – Hosted by the Third Party Vendor:  You may find a vendor that hosts a web service to charge payment cards along with other services for conference registration, ecommerce sales, or payments for other services you provide.  Payment card transactions are initiated by the cardholders, and your department never processes or touches cardholder data.  Such vendors must be certified with the PCI Council as a Service Provider.  Security requirements are as follows:

• Annual Assessment by a Qualified Security Assessor
• Annual validation of the vendor’s PCI Service Provider standing:  Attestation of Compliance

 

Virtual Terminals:  A virtual terminal is a service hosted by a Third Party Vendor who is a PCI Certified Service Provider.  A virtual payment terminal is web-browser-based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual payment terminals are typically used instead of physical terminals in merchant environments with low transaction volumes. Security requirements are as follows:

• Annual Assessment by a Qualified Security Assessor
• Monthly Vulnerability Scans
• Anti-virus Monitoring
• File Integrity Monitoring
• Identity Finder
• Logging
• Penetration testing

 

Kiosk for self-service transactions (no end to end encryption):  A kiosk is a contained computer that uses a third party software or internet service that is PCI Certified.  The internet is used for communication.  The kiosk allows cardholders to initiate transactions for services or dispensed merchandise.  A kiosk without an end to end encryption device that encrypts the payment card number upon swipe has the following security requirements:

• Annual Assessment by a Qualified Security Assessor
• Monthly Vulnerability Scans
• Anti-virus Monitoring
• File Integrity Monitoring
• Identity Finder
• Logging
• Penetration testing
• Multi-Factor Authentication for remote access (as applicable)

 

Re-Directed Software Solution: Software that is installed on a desktop computer or server may use a payment process that re-directs the user to a payment gateway to enter their payment card data.  Once the user is on the payment gateway web page, the University’s servers and computer are not touching the cardholder data.  However, the software and associated computers or servers have specific security requirements to protect that handoff from the software to the payment gateway.  Security requirements are all follows:

• Annual Assessment by a Qualified Security Assessor
• Monthly Vulnerability Scans
• Anti-virus Monitoring
• File Integrity Monitoring
• Identity Finder
• Logging
• Penetration testing
• Multi-Factor Authentication for remote access (as applicable)

 

3^rd Party Software – Hosted on Campus:  Approved 3^rd Party Software installed on a campus server must employ all of the following

• Annual Assessment by a Qualified Security Assessor
• Monthly Vulnerability Scans
• Anti-virus Monitoring
• File Integrity Monitoring
• Identity Finder
• Logging
• Penetration testing
• Multi-Factor Authentication for remote access (as applicable)

 

Campus E-Commerce – UMarket and UPay:  The University has a standardized e-commerce option available to departments, via a shopping cart, or a single checkout page.

• Annual Assessment by a Qualified Security Assessor
• Monthly Vulnerability Scans
• Anti-virus Monitoring
• File Integrity Monitoring
• Identity Finder
• Logging
• Penetration testing
• Multi-Factor Authentication for remote access (as applicable)