WIXLIB

Technical Guidelines for PCI Data Storage(See glossary for definitions)Data ElementCardholder DataSensitiveAuthentication Data[2]StoragePermittedProtection Requi PCI DSS Req.red3, 4Primary Account Number(PAN)YesYesYesCardholder Name [1]YesYes [1]NoService Code [1]YesYes [1]NoExpiration Date [1]YesYes [1]NoFullMagnetic Stripe Data [3]NoN/AN/ACAV2/CVC2/CVV2/CIDNoN/AN/APIN/PIN BlockNoN/AN/A[1] These data elements must be protected if stored in conjunction with the PAN. This protectionshould be per PCI-DSS requirements for general protection of the cardholder data environment.Additionally, other legislation (e.g., related to consumer personal data protection, privacy, identitytheft, or data security) may require specific protection of this data, or proper disclosure of acompany’s practices if consumer related personal data is being collected during the course ofbusiness. PCI-DSS, however, does not apply if PANs are not stored, processed, or transmitted.[2] Sensitive authentication data must not be stored after authorization (even if encrypted).[3] Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere.More information on the previous two charts may be foundat: https://www.pcisecuritystandards.org/pdfs/pci fs data storage.pdfIf your system is compromised, you could: lose the ability to process credit cards be required to scan your system more frequently than otherwise required cause a negative impact on other stakeholders suffer loss of public confidenceThe cost of a credit card breach can include fines and fees for which you are accountable and whichmay vary in severity depending on 1) the number of card numbers stolen; 2) if magnetic stripe (track)data was stored or not; 3) the timeliness of reporting the incident and 4) the circumstancessurrounding the incident. Fines may be assessed by each of the credit card companies involved. Theremay also be extra costs for breach notification, forensic investigations and annual on-site securityaudits. Organizations are not exempt from these fees and fines.But what will it cost to comply? Less than if a breach occurs. There will likely be costs forupgrading your payment systems and implementing security controls on your network(s) if none arecurrently in place. Vulnerability scanning and maintaining compliance will be ongoing costs, as threatsand vulnerabilities continue to change. Costs may be minimal if your organization is already followingthe PCI-DSS and other best practices for securing information.4

How can you secure the credit card data your organization processes? As abusiness manager, you should talk with the person responsible for your information security and ITManager (if you have one) to determine how your organization needs to address compliance. ThePCI-DSS Prioritized Approach is a great tool available from the PCI Security Standards Council toexpedite your efforts towards payment security. Like other business programs, security begins withmanaging risk – where compliance is a byproduct of security. Implementing these six strategies canreduce the highest risk to cardholder data as early as possible in the journey to compliance:1.2.3.4.5.6.If you don’t need it, don’t store it (in particular, credit card numbers and othersensitive data items at highest risk).Secure the perimeter (use a network diagram to determine all access points—external,internal, and wireless networks — and segment the network to limit what you need tosecure).Secure payment cards applications (including application processes and servers).Control access to your systems (know the who, what, when and how for peopleaccessing your network).Protect stored cardholder data (if your organization must store sensitive cardinformation).Finalize remaining compliance efforts, and ensure all controls are in place(complete the remaining PCI-DSS requirements, implement policy, procedures andprocesses).The PCI-DSS Prioritized Approach is available at the PCI Security Standards Council website to assistyour organization in organizing these strategies. Other tools and best practices continue to be addedto the website at https://www.pcisecuritystandards.org/security standards/documents.phpAdditionally your organization should have policies and procedures for staff on how to handle cardtransactions and associated data. These procedures should address day-to-day operations, securestorage of paper records, and printouts. Your policies and procedures should reflect the PCIrequirements (e.g., only saving the last four digits of the credit card number.)Who are the players? The chart below contains the roles of various organizations involved in acredit card transaction.Payment BrandsProcessing organization MasterCard, ISA, American Express etc.) that licensesmembers andmerchants to issue and accept credit cardsIssuersFinancial Institutions that issue credit cards to cardholders (name of institutionon the card)AcquirersFinancial institutions that support merchants by providing services forprocessing payment card transactions (accepts credit card transactions fromthe merchant)MerchantsAny business owners, agencies or governments authorized to accept creditcard transactions in exchange for goods and servicesService Providers Organizations that process, store, or transmit cardholder data on behalf ofmembers, merchants, or other service providers. (They may passInformation onto the bank or hold onto the information. Paypal andAuthorizeNet are examples of service providers.)If you use a service provider, you will need to determine if the service provider is PCI compliant. A listof compliant service providers is available on each payment brand website.5

Achieving ComplianceThis section contains more specifics about securing the credit card process in your organization. Notonly will the IT Manager need to be aware of the process but so will anyone involved with creditcard transactions of any kind, including paper transactions which may be storedin file cabinet. Additional charts and information are found on the PCI and payment brands (e.g. Visa,MasterCard etc.) websites.Organizations which process credit card payments are considered “merchants.” Yourmerchant level is generally determined by how many credit card transactions yourorganization processes each year. However, payment brands may change your level if a breachoccurs or at their discretion.Note that each “payment brand’ may use different parameters for establishing your merchant stcomplywithall payment brands’ requirements for those payment brands in use. For example, one payment brandmay categorize an organization as a level 1 while another brand categorizes the same organizationas a level 2. In general, the more restrictive categorization would apply and the organizationwould need to validate at a level 1. Smaller numbers of transactions may resultin fewer requirements. A merchant level chart is included at the end of this Guide; however check withyour payment brand company for current merchant level definitions and validation ionsecuritypoliciesandprocedures,as required by the Data Security Standards. The previous Getting Started Guide and its companionguides located at http://www.dhses.ny.gov/ocs/resources/ are a good place to look for helpwith building policies.If your wireless network is segmented from your credit card process, it does not need to be includedin the planning. Any wireless network that may be involved with or connected to the creditcard processor must be included in the compliance process.6

The PCI Standard requirements are presented in the chart below:PCI-DSS Overview Fact issc getting started with pcidss.pdf)GoalsBuild and Maintaina Secure NetworkGeneral Requirements1) Install and maintain a firewall configuration to protect cardholderdata2) Do not use vendor-supplied defaults for system passwords andother security parametersProtect CardholderData3)Protect stored cardholder data4) Encrypt transmission of cardholder data across open, publicnetworksMaintain aVulnerabilityManagementProgramImplement StrongAccess ControlMeasuresRegularly MonitorandTest Networks5)Use and regularly update anti-virus software or programs6)Develop and maintain secure systems and applications7)Restrict access to cardholder data by business need-to-know8)Assign a unique ID to each person with computer access9)Restrict physical access to cardholder data10) Track and monitor all access to network resources and cardholderdata11)Maintainan InformationSecurity PolicyRegularly test security systems and processes12) Maintain a policy that addresses information security foremployees and contractorsGoal 1: Build and Maintain a Secure Network. PCI-DSS applies to the entire cardholderenvironment, i.e., the segment of the network, systems and equipment that transmits or storescardholder data.Requirement 1: Install and maintain a firewall configuration to protect cardholder dataRequirement 2: Do not use vendor-supplied defaults for system passwords and other securityparameters7

Organizations must secure all system components (network components, including wireless, servers,applications) that are connected to the segment containing the credit card information. Adequatesegmentation and/or isolation of the cardholder environment reduce your scope of compliance.Goal 2: Protect Cardholder DataRequirement 3: Protect stored cardholder dataRequirement 4: Encrypt transmission of cardholder data across open, public networksIf you don’t need it, don’t store it. If you must store the primary account number (PAN), it must beunreadable through the use of strong encryption especially in the case of a wireless network or betruncated using only the first six or last four digits. Full magnetic stripe data must NEVER be storedafter a transaction is authorized. The information on the card stripe contains the following sensitiveinformation: Cardholder Name Service Code Expiration Date PIN – must never be stored CVV – Card Validation/Verification Value must never be storedTechnical Guidelines for PCI Data Storage(See glossary for definitions)Data ElementCardholder DataSensitiveAuthentication Data[2]StoragePermittedProtection Requi PCI DSS Req.red3, 4Primary Account Number(PAN)YesYesYesCardholder Name [1]YesYes [1]NoService Code [1]YesYes [1]NoExpiration Date [1]YesYes [1]NoFullMagnetic Stripe Data [3]NoN/AN/ACAV2/CVC2/CVV2/CIDNoN/AN/APIN/PIN BlockNoN/AN/A[1] These data elements must be protected if stored in conjunction with the PAN. This protectionshould be per PCI-DSS requirements for general protection of the cardholder data environment.Additionally, other legislation (e.g., related to consumer personal data protection, privacy, identitytheft, or data security) may require specific protection of this data, or proper disclosure of acompany’s practices if consumer related personal data is being collected during the course ofbusiness. PCI-DSS, however, does not apply if PANs are not stored, processed, or transmitted.[2] Sensitive authentication data must not be stored after authorization (even if encrypted).[3] Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere.8

More information on the previous two charts may be foundat: https://www.pcisecuritystandards.org/pdfs/pci fs data storage.pdfGoal 3: Maintain a Vulnerability Management ProgramRequirement 5: Use and regularly update anti-virus softwareRequirement 6: Develop and maintain secure systems and applicationsAnti-virus software, updated and maintained through software license renewals, is required on alloperating systems to defend against malicious software. Additionally all computer systems must bepatched to reduce software vulnerabilities. Organization applications accessed over the Internet mustbe written using secure programming code.Goal 4: Implement Strong Access Control MeasuresRequirement 7: Restrict access to cardholder data by business need-to-knowRequirement 8: Assign a unique ID to each person with computer accessRequirement 9: Restrict physical access to cardholder dataReduce the opportunities for accidental or inappropriate viewing of the credit card information bylimiting who has access to the information. Each employee, contractor or individual authorized toprocess the credit card files must use strong passwords and have a unique ID. Sharing user accountsand passwords violates compliance requirements. If credit card files are stored off-site (seeGuidelines for Backing Up Information), a designated individual should visit that site at least annuallyto confirm proper compliance. These requirements apply to paper files as well as electronic files. Youmust properly dispose of files that are no longer needed to ensure the sensitive information is notdiscovered by unauthorized individuals (see Erasing Information and Disposal of Electronic MediaGuide at http://www.dhses.ny.gov/ocs/resources/).Goal 5: Regularly Monitor and Test NetworksRequirement 10: Track and monitor all access to network resources and cardholder dataRequirement 11: Regularly test security systems and processesWork with your Information Technology (IT) Manager to make certain that log files are kept for allaccess to the network environment associated with the credit card data. Systems should bemonitored constantly for access and data usage. This information will alert you to any potentialproblems and be useful to prove the logs are being kept. In the event, or suspicion, of a breach,these logs will be required for investigation (see Cyber Incident Response Guideat http://www.dhses.ny.gov/ocs/resources/). Under Requirement 11, organizations need to useApproved Scanning Vendors (ASVs) to test the computer system for vulnerabilities. Tests includepenetration tests, vulnerability scanning and application scanning. More will be provided on scans inthe following section.Goal 6: Maintain an Information Security PolicyRequirement 12: Maintain a policy that addresses information securityAn Information Security Policy is a best practice no matter what information is being handled orstored. The policy must be implemented and staff must be trained on the policies, procedures andprocesses associated with it.9

PCI: Continuous Process PCI compliance is an ongoing process with these three primarysteps:1.Assess: taking an inventory of your IT assets and business processes for payment cardprocessing, and analyzing them for vulnerabilities that could expose cardholder data2. Remediate: fixing those vulnerabilities3. Report: compiling of records required by PCI-DSS to validate remediation, and submissionof compliance reports to the acquiring bank and card payment brands with which youconduct businessMore information is availableat: www.pcisecuritystandards.org/pdfs/pcissc getting started with pcidss.pdfStep 1: ASSESS To determine your organization’s compliance with the PCI Data SecurityStandard, begin with an inventory of all IT assets and business processes where a payment card isprocessed. Once all the assets and processes are identified, use the Standards above to follow theflow of the credit card payment process in your organization. Remember to include any third partypartners that may be involved. All components of the process must be checked for vulnerabilities.The PCI Standards Council provides two types of independent experts to help with assessments: theQualified Security Assessor (QSA) and the Approved Scanning Vendor (ASV). QSAs have trainedpersonnel and processes to assess and prove compliance with PCI DSS. ASVs providecommercial software tools to perform vulnerability scans for your systems.Complete Self-Assessment Questionnaire (SAQ) Organizations which are not required todo on-site assessments for PCI-DSS compliance use the SAQ, a validation tool. You can complete thequestionnaire yourself or contract with a QSA to complete it. SAQs must be performed annually by allorganizations, regardless of level. An organization may fit one of five SAQ Validation Types.See chart below.Self-Assessment Questionnaire (SAQ)SAQValidationTypeDescriptionSAQ TypeTotal numberofquestions1Card-not-present (e-commerce or ail/telephone-order)merchants, all cardholder data functions outsourcedA112Imprint-only merchants with no electronic cardholder datastorageB213Stand-alone dial-out terminal merchants, no electroniccardholder data storageB214Merchants with Point–of-Sale or payment systemconnected to Internet. No electronic cardholder datastorageC385All other merchants that are SAQ-eligibleD226(full DSS)The SAQ form can be found on the PCI ity standards/documents.php?category saqs).Any “NO”answers result in noncompliance and remediation must be done to bring the organizationinto compliance.10

Step 2: REMEDIATE Remediation is the process of fixing vulnerabilities – including technicalflaws in software code or unsafe practices in how an organization processes or stores cardholder data.Steps include: Scanning your network with software tools that analyze infrastructure and identify knownvulnerabilitiesReviewing and remediating vulnerabilities found in on-site assessment (if applicable) orthrough the SAQ processClassifying and ranking the vulnerabilities to help prioritize the order of remediationApplying patches, fixes, workarounds, and changes to unsafe processes and workflowRe-scanning to verify that remediation actually occurred. 2Perform network level security scan A vulnerability scan is required for all externallyaccessible (Internet facing) IP addresses, and all internal IP addresses associated with credit carddata. External scans must be performed by an ASV, one which can be found on the PCI website. Thisscan is done to identify any problem areas on the network where malicious persons may attack. Allvulnerabilities found must be remediated and the network scanned again to confirm all problems areaddressed. Each time a change is made to the network, the network should be scanned again toidentify any new problems or errors.Step 3: REPORT You are required to submit regular reports for PCI compliance to your acquiringbank(s) and card payment brands with which you conduct business. PCI-SSC is not responsible for PCIcompliance. All organizations must submit a quarterly scan report, which must be completed by a PCIapproved ASV. Organizations with larger transaction flows must do an annual on-site assessmentcompleted by a PCI approved QSA and submit the findings to each acquiring bank.Organizations with smaller flows may be required to submit an annual Attestation within theSelf-Assessment Questionnaire 3 . An Attestation of Compliance form, also found online, must be signedby an executive in the organization.SummaryOrganizations must comply with the PCI Data Security Standard and validate compliance. Compliance(securing the credit card process) requires ongoing adherence to the standard and applies to everyorganization, regardless of transaction volume. Validation confirms organizations, service providers,payment applications, and PIN entry devices are compliant with the standard. This involves either anannual QSA assessment or self-assessment questionnaire and a quarterly scan as determined by themerchant level. Check the PCI Standards website for changes.Where can I find help? There are several websites to assist you in securing yourorganization’s credit card process. The first site below contains extensive information including formsand is updated frequently.23 PCI Security Standards Council https://www.pcisecuritystandards.org/has severalworksheets for assisting with the Self-Assessment Questionnaire, storage, offerscompensating controls guidance and other related materials. Visa Customer Information Security Program http://usa.visa.com/merchants/risk management/cisp.html?ep v sym cisp MasterCard Site Data Protection twedo/site data protection.html Discover http://www.discovernetwork.com/me

Payment Card Industry . Standard Compliance . A Non-Technical Guide . Essential for . Business Managers . Office Managers . Operations Managers . PIN . Service Code . Expiration Date . Cardholder Name . Card Validation . Verification Value . 0000 0 000000 0000 0000 0000 0 0000 0000 First MI Last 07/10 . compliant with the requirements of PCI.