You are on page 1of 9

<Insert Logo Here>

ABC Corporation

Credit Card Security Policies


PCI DSS 2.0 Version 1.0 - Month, Day, ear

CONFIDENTIAL INFORMATION This document is the property of ABC Corporation; it contains information that is proprietary, confidential, or otherwise restricted from disclosure. If you are not an authorized recipient, please return this document to the above-named owner. Dissemination, distribution, copying or use of this document in whole or in part by anyone other than the intended recipient is strictly prohibited without prior written permission of ABC Corporation.

!e"ision #istory
Changes
Initial Publication

Approving Manager

Date

Introduction and Scope


Introduction This document explains ABC Corporation s credit card security re!uirements as re!uired by the "ayment #ard Industry Data $ecurity $tandard %"#I D$$& "rogram. ABC Corporation management is committed to these security policies to protect information utilized by ABC Corporation in attaining its business goals. 'll employees are re!uired to adhere to the policies described within this document. Scope o$ Co%pliance The "#I re!uirements apply to all systems that store, process, or transmit cardholder data. #urrently, '(# #orporation s cardholder environment consists only of limited payment applications %typically point-of-sale systems& connected to the internet, but does not include storage of cardholder data on any computer system. Due to the limited nature of the in-scope environment, this document is intended to meet the "#I re!uirements as defined in $elf-'ssessment )uestionnaire %$')& #, ver. *.+, ,ctober, *+-+. $hould '(# #orporation implement additional acceptance channels, begin storing, processing, or transmitting cardholder data in electronic format, or otherwise become ineligible to validate compliance under $') #, it will be the responsibility of '(# #orporation to determine the appropriate compliance criteria and implement additional policies and controls as needed.

Requirement 1: Build and Maintain a Secure Networ


&ire'all Con$i(uration .irewalls must restrict connections between untrusted networ/s and any system in the cardholder data environment. 'n 0untrusted networ/1 is any networ/ that is external to the networ/s belonging to the entity under review, and2or which is out of the entity s ability to control or manage. %"#I 3e!uirement -.*& Inbound and outbound traffic must be restricted to that which is necessary for the cardholder data environment. 'll other inbound and outbound traffic must be specifically denied. %"#I 3e!uirement -.*.-& 'll open ports and services must be documented. Documentation should include the port or service, source and destination, and a business 4ustification for opening said port or service. %"#I 3e!uirement -.*.-& "erimeter firewalls must be installed between any wireless networ/s and the cardholder data environment. These firewalls must be configured to deny or control %if such traffic is necessary for business purposes& any traffic from the wireless environment into the cardholder data environment. %"#I 3e!uirement -.*.5& .irewall configuration must prohibit direct public access between the Internet and any system component in the cardholder data environment as follows6 Direct connections are prohibited for inbound and outbound traffic between the Internet and the cardholder data environment %"#I 3e!uirement -.5.5& ,utbound traffic from the cardholder data environment to the Internet must be explicitly authorized %"#I 3e!uirement -.5.7& .irewalls must implement stateful inspection, also /nown as dynamic pac/et filtering %"#I 3e!uirement -.5.8&

'ny mobile and2or employee-owned computers with direct connectivity to the Internet %for example, laptops used by employees&, which are to access the organization s networ/ must have a local %personal& software firewall installed and active. This firewall must be configured to specific standards, and not alterable by mobile and2or employee-owned computer users. %"#I 3e!uirement -.9&

!e)uire%ent 2* Do not use Vendor-Supplied De$aults $or Syste% Pass'ords and +ther Security Para%eters
Vendor De$aults :endor-supplied defaults must always be changed before installing a system on the networ/. ;xamples of vendor-defaults include passwords, $<=" community strings, and elimination of unnecessary accounts. %"#I 3e!uirement *.-& Default settings for wireless systems must be changed before implementation. >ireless environment defaults include, but are not limited to6 default encryption /eys passwords $<=" community strings default passwords2passphrases on access points other security-related wireless vendor defaults as applicable .irmware on wireless devices must be updated to support strong encryption for authentication and transmission of data over wireless networ/s. %"#I 3e!uirement *.-.-& ,nneeded Ser"ices and Protocols Only necessary services, protocols, daemons, etc., as needed or t!e unction o t!e system may be enabled. All services and protocols not directly needed to per orm t!e device"s speci ied unction must be disabled. #PCI $e%uirement &.&.&' -on-Console Ad%inistrati"e Access #redentials for non-console administrative access must be encrypted using technologies such as $$?, :"<, or $$@2T@$. ;ncryption technologies must include the following6 %"#I 3e!uirement *.5& =ust use strong cryptography, and the encryption method must be invo/ed before the administrator s password is re!uested. $ystem services and parameter files must be configured to prevent the use of telnet and other insecure remote login commands. =ust include administrator access to web-based management interfaces

Requirement 3: Protect Stored Cardholder Data


Prohi.ited Data Processes must be in place to securely delete sensitive aut!entication data post(aut!ori)ation so t!at t!e data is unrecoverable. #PCI $e%uirement *.&' Payment systems must ad!ere to t!e ollo+ing re%uirements regarding non(storage o sensitive aut!entication data a ter aut!ori)ation #even i encrypted', -!e ull contents o any trac. data rom t!e magnetic stripe #located on t!e bac. o a card, e%uivalent data contained on a c!ip, or else+!ere' are not stored under any circumstance. #PCI $e%uirement *.&./' -!e card veri ication code or value #t!ree(digit or our(digit number printed on t!e ront or bac. o a payment card' is not stored under any circumstance. #PCI $e%uirement *.&.&' -!e personal identi ication number #PI0' or t!e encrypted PI0 bloc. are not stored under any circumstance. #PCI $e%uirement *.&.*'

Di!"la#in$ %AN '(# #orporation will mas/ the display of "'<s %primary account numbers&, and limit viewing of "'<s to only those employees and other parties with a legitimate need. ' properly mas/ed number will show only the first six and the last four digits of the "'<. %"#I re!uirement 5.5&

Requirement 4: Encrypt Transmission of Cardholder Data Across pen! Pu"lic #et$or%s


/rans%ission o$ Cardholder Data #ardholder data sent across open, public networ/s must be protected through the use of strong cryptography or security protocols %e.g., I"$;#, $$@T@$&. ,nly trusted /eys and2or certificates can be accepted. .or $$@2T@$ implementations ?TT"$ must appear as part of the A3@, and cardholder data may only be entered when ?TT"$ appears in the A3@. %"#I 3e!uirement 9.-& Industry best practices %for example, I;;; B+*.--i& must be used to implement strong encryption for authentication and transmission for wireless networ/s transmitting cardholder data or connected to the cardholder data environment. %"#I 3e!uirement 9.-.-& $ending unencrypted "'<s by end-user messaging technologies is prohibited. ;xamples of end-user technologies include email, instant messaging and chat. %"#I re!uirement 9.*&

!e)uire%ent 0* use and !e(ularly ,pdate Anti-Virus So$t'are or Pro(ra%s


Anti-Virus 'll systems, particularly personal computers and servers commonly affected by viruses, must have installed an anti-virus program which is capable of detecting, removing, and protecting against all /now types of malicious software. %"#I 3e!uirement 7.-, 7.-.-& 'll anti-virus programs must be /ept current through automatic updates, be actively running, be configured to run periodic scans, and capable of generating audit logs. 'nti-virus logs must be retained in accordance with "#I re!uirement -+.C. %"#I 3e!uirement 7.*&

!e)uire%ent 1* De"elop and Maintain Secure Syste%s and Applications


Security Patches 'll critical security patches must be installed with one month of release. This includes relevant patches for operating systems and all installed applications. %"#I 3e!uirement 8.-&

Requirement &: Restrict Access to Cardholder Data "y 'usiness #eed to (no$
2i%it Access to Cardholder Data 'ccess to '(# #orporation s cardholder system components and data is limited to only those individuals whose 4obs re!uire such access. %"#I 3e!uirement C.-& 'ccess limitations must include the following6 'ccess rights for privileged user IDs must be restricted to the least privileges necessary to perform 4ob responsibilities. %"#I 3e!uirement C.-.-& "rivileges must be assigned to individuals based on 4ob classification and function %also called 0role-based access control&. %"#I 3e!uirement C.-.*&

!e)uire%ent 3* Assi(n a ,ni)ue ID to 4ach Person 'ith Co%puter Access


!e%ote Access Two-factor authentication must be incorporated for remote access %networ/-level access originating from outside the networ/& to the networ/ by employees, administrators, and third parties. %"#I 3e!uirement B.5& Vendor Accounts 'll accounts used by vendors for remote maintenance shall be enabled only during the time period needed. :endor remote access accounts must be monitored when in use. %"#I 3e!uirement B.7.8&

Requirement ): Restrict Physical Access to Cardholder Data


Physically Secure all Media Containin( Cardholder Data ?ard copy materials containing confidential or sensitive information %e.g., paper receipts, paper reports, faxes, etc.& are sub4ect to the following storage guidelines6 'll media must be physically secured. %"#I re!uirement D.8& $trict control must be maintained over the internal or external distribution of any /ind of media containing cardholder data. These controls shall include6 =edia must be classified so the sensitivity of the data can be determined. %"#I 3e!uirement D.C.-& =edia must be sent by a secure carrier or other delivery method that can be accurately trac/ed. %"#I 3e!uirement D.C.*& @ogs must be maintained to trac/ all media that is moved from a secured area, and management approval must be obtained prior to moving the media. %"#I 3e!uirement D.B& $trict control must be maintained over the storage and accessibility of media containing cardholder data. %"#I 3e!uirement D.D& Destruction o$ Data 'll media containing cardholder data must be destroyed when no longer needed for business or legal reasons. %"#I re!uirement D.-+& ?ardcopy media must be destroyed by shredding, incineration or pulping so that cardholder data cannot be reconstructed. #ontainer storing information waiting to be destroyed must be secured to prevent access to the contents. %"#I re!uirement D.-+.-&

!e)uire%ent 11* !e(ularly /est Security Syste%s and Processes


/estin( $or ,nauthori5ed 6ireless Access Points 't least !uarterly, '(# #orporation will perform testing to ensure there are no unauthorized wireless access points present in the cardholder environment. %"#I 3e!uirement --.-& This testing must detect and identify any unauthorized wireless access points, including at least the following6 >@'< cards inserted into system components "ortable wireless devices connected to system components %for example, by A$(, etc.& >ireless devices attached to a networ/ port or networ/ device If automated monitoring is utilized %for example, wireless ID$2I"$, <'#, etc.& it must be configured to generate alerts Detection of unauthorized wireless devices must be included in the Incident 3esponse "lan %see "#I 3e!uirement -*.D&.

Vulnera.ility Scannin( 't least !uarterly, and after any significant changes in the networ/ %such as new system component installations, changes in networ/ topology, firewall rule modifications, product upgrades&, '(# #orporation will perform vulnerability scanning on all in-scope systems. %"#I 3e!uirement --.*& Internal vulnerability scans must be repeated until passing results are obtained, or until all 0high1 vulnerabilities as defined in "#I 3e!uirement 8.* are resolved. %"#I 3e!uirement --.*.-, --.*.5& )uarterly vulnerability scan results must satisfy the '$: "rogram guide re!uirements %for example, no vulnerabilities rated higher than a 9.+ by the #:$$ and no automatic failures. ;xternal vulnerability scans must be performed by an 'pproved $canning :endor %'$:&, approved by the "ayment #ard Industry $ecurity $tandards #ouncil %"#I $$#&. %"#I 3e!uirement --.*.*, --.*.5&

Requirement *+: ,aintain a Policy that Addresses Information Security for Employees and Contractors
Security Policy '(# #orporation shall establish, publish, maintain, and disseminate a security policy that addresses how the company will protect cardholder data. %"#I 3e!uirement -*.-& This policy must be reviewed at least annually, and must be updated as needed to reflect changes to business ob4ectives or the ris/ environment. %"#I re!uirement -*.-.5& Critical /echnolo(ies '(# #orporation shall establish usage policies for critical technologies %for example, remote-access technologies, wireless technologies, removable electronic media, laptops, tablets, personal data2digital assistants %"D's&, email, and internet usage. %"#I re!uirement -*.5& These policies must include the following6 ;xplicit approval by authorized parties to use the technologies %"#I 3e!uirement -*.5.-& 'uthentication for use of the technology %"#I 3e!uirement -*.5.*& ' list of all such devices and personnel with access %"#I 3e!uirement -*.5.5& 'cceptable uses of the technologies %"#I 3e!uirement -*.5.7& 'cceptable networ/ locations for the technologies %"#I 3e!uirement -*.5.8& 'utomatic disconnect of sessions for remote-access technologies after a specific period of inactivity %"#I 3e!uirement -*.5.B& 'ctivation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate de-activation after use %"#I 3e!uirement -*.5.D& Security !esponsi.ilities '(# #orporation s policies and procedures must clearly define information security responsibilities for all personnel. %"#I 3e!uirement -*.9& Incident !esponse Policy The EEEEEEEEEEEE shall establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. %"#I re!uirement -*.7.5& Incident Identi$ication ;mployees must be aware of their responsibilities in detecting security incidents to facilitate the incident response plan and procedures. 'll employees have the responsibility to assist in the incident response procedures within

their particular areas of responsibility. $ome examples of security incidents that an employee might recognize in their day to day activities include, but are not limited to,

Theft, damage, or unauthorized access %e.g., papers missing from their des/, bro/en loc/s, missing log files, alert from a security guard, video evidence of a brea/-in or unscheduled2unauthorized physical entry& .raud F Inaccurate information within databases, logs, files or paper records

!eportin( an Incident The EEEEEEEEEE should be notified immediately of any suspected or real security incidents involving cardholder data6 #ontact the EEEEEEEEEEEEEEEE to report any suspected or actual incidents. The Internal 'udit s phone number should be well /nown to all employees and should page someone during non-business hours. <o one should communicate with anyone outside of their supervisor%s& or the EEEEEEEEEEEE about any details or generalities surrounding any suspected or actual incident. 'll communications with law enforcement or the public will be coordinated by the EEEEEEEEEEEEEEEEEE. Document any information you /now while waiting for the EEEEEEEEEEEEEEE to respond to the incident. If /nown, this must include date, time, and the nature of the incident. 'ny information you can provide will aid in responding in an appropriate manner. Incident !esponse 3esponses can include or proceed through the following stages6 identification, severity classification, containment, eradication, recovery and root cause analysis resulting in improvement of security controls. #ontain, ;radicate, 3ecover and perform 3oot #ause 'nalysis -.<otify applicable card associations. &i!a "rovide the compromised :isa accounts to :isa .raud #ontrol Group within ten %-+& business days. .or assistance, contact --%87+&-95*-*DCB. 'ccount numbers must be securely sent to :isa as instructed by the :isa .raud #ontrol Group. It is critical that all potentially compromised accounts are provided. :isa will distribute the compromised :isa account numbers to issuers and ensure the confidentiality of entity and non-public information. $ee :isa s 0>hat to do if compromised1 documentation for additional activities that must be performed. That documentation can be found at !ttp,11usa.visa.com1do+nload1business1accepting2visa1ops2ris.2management1cisp2+!at2t o2do2i 2compromised.pd Ma!terCard #ontact your merchant ban/ for specific details on what to do following a compromise. Details on the merchant ban/ %a/a. the ac!uirer& can be found in the =erchant =anual at !ttp,11+++.mastercard.com1us1+ce1P341/&555267$C(7ntire26anual.pd . Hour merchant ban/ will assist when you call =aster#ard at --%858&-C**-9-++. Di!co'er Card #ontact your relationship manager or call the support line at --%B++&-59C-5+B5 for further guidance. *.'lert all necessary parties. (e sure to notify6 5.=erchant ban/ 9.@ocal .(I ,ffice 7.A.$. $ecret $ervice %if :isa payment data is compromised&

8.@ocal authorities %if appropriate& 8. "erform an analysis of legal re!uirements for reporting compromises in every state where clients were affected. The following source of information must be used6 http622www.ncsl.org2programs2lis2cip2priv2breach.htm 9. #ollect and protect information associated with the intrusion. In the event that forensic investigation is re!uired the EEEEEEEEEEEE will wor/ with legal and management to identify appropriate forensic specialists. D.;liminate the intruderIs means of access and any related vulnerabilities. -+. 3esearch potential ris/s related to or damage caused by intrusion method used. !oot Cause Analysis and 2essons 2earned <ot more than one wee/ following the incident, members of the EEEEEEEEEEEEEE and all affected parties will meet to review the results of any investigation to determine the root cause of the compromise and evaluate the effectiveness of the Incident Response Plan. 3eview other security controls to determine their appropriateness for the current ris/s. 'ny identified areas in which the plan, policy or security control can be made more effective or efficient, must be updated accordingly. Security A'areness '(# #orporation shall establish and maintain a formal security awareness program to ma/e all personnel aware of the importance of cardholder data security. %"#I 3e!uirement -*.8& Ser"ice Pro"iders '(# #orporation shall implement and maintain policies and procedures to manage service providers. %"#I re!uirement -*.B& This process must include the following6

=aintain a list of service providers %"#I re!uirement -*.B.-& =aintain a written agreement that includes an ac/nowledgement that the service providers are responsible for the security of the cardholder data the service providers possess %"#I re!uirement -*.B.*& Implement a process to perform proper due diligence prior to engaging a service provider %"#I re!uirement -*.B.5&

=onitor service providers "#I D$$ compliance status %"#I re!uirement -*.B.9&