Middlebury

Middlebury PCI DSS – Policy for Accepting Credit Card and ecommerce Payments

Approved: October 2012 V1.0, Updated: September 2013 V1.1, Updated: August 2014 V1.2

http://go.middlebury.edu/pcipolicy          http://go.middlebury.edu/PCIDSS


Contents
1.0 Purpose
2.0 Scope
3.0 Authority & Responsibility
4.0 Management
5.0 Policy
    Access
    Cardholder Data Handling, Retention and Disposal
    MDRP
    Merchant Account Request
    Security Awareness Program
    Security Breach Response
    Shared Hosting & Service Provider Management
Appendices
Appendix A: Checklist for Process for Merchant Account Request or Service Provider Change
Appendix B: Merchant Account Request Form or Service Provider Change
Appendix C: PROJECT PLAN (PCI Related)
Appendix D: Architecture Standards for PCI DSS Compliance


 

1.0 Purpose

The intent of this policy document is to guide the College in complying with the Payment Card Industry Data Security Standard (PCI DSS).  This policy addresses the Standards that are contractually imposed by the major credit card brands on merchants that accept payment cards.  These security requirements apply to all transactions surrounding the payment card industry whether electronically driven or hard copy format.  Many departments and merchants on campus process credit card transactions in the course of daily business.  As such, it is the intent of Middlebury through these policies to protect the privacy of our customers and maintain compliance with Payment Card Industry Data Security Standards (PCI DSS). 

2.0 Scope

Any College employee, contractor, individual, entity (herein after referred to as agent), systems, and networks involved with the transmission, storage and/or processing of credit card numbers at Middlebury, in the course of doing business on behalf of the College, is subject to this policy, administrative and technical policies located in the College Handbook.  Not all components of the requirements listed in this document are directly applicable to the individual Middlebury merchants, but are required to be attained by Middlebury as a whole. 

3.0 Authority & Responsibility

It is the policy of Middlebury that only departments who have been approved may accept payment for goods or services via credit card.  Failure to comply with the terms of these policies may result in disciplinary actions and could also limit a department’s credit card acceptance privileges.  The PCI Compliance Team’s purpose is to educate all entities in the College’s payment environment and to enforce the PCI DSS Policies contained herein.  Questions regarding this policy should be directed to the Middlebury PCI DSS Compliance Team.   

4.0 Management

The College may modify this policy from time to time and as required annually, provided that all modifications are consistent with current PCI DSS.  The College PCI policy was approved by Patrick J. Norton, VP for Finance and Treasurer, October 16, 2012.  The PCI Compliance Team is responsible for initiating and overseeing an annual review of this Policy, making appropriate revisions and updates and issuing the revised policy to appropriate Merchant Departments.  This policy was updated on September 12, 2013, updated: August 11, 2014

Definitions

CDE - Cardholder data environment
Area of computer system network that possesses cardholder data or sensitive authentication data and those systems and segments that directly attach or support cardholder processing, storage, or transmission.  

CHD – Cardholder Data
Credit Card components that are required to be protected.  These include: Primary Account Number, Cardholder Name, Expiration Date, Service Code, and Card Verification Code

Ecommerce
The buying and selling of products or services over the Internet.

MDRP – Merchant Department Responsible Person
Any department accepting credit card payments on behalf of the College for gifts, goods, or services (“Merchant Department”) must designate an individual within that department who will have primary authority and responsibility for ecommerce and credit card transaction processing within that department.

Merchant
Any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard, or Visa) as payment for goods and/or services.  Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers.

Merchant Account/ID
A bank account that allows businesses to accept payments by payment cards.  A merchant account is established under an agreement between an acceptor and a merchant acquiring bank for the settlement of payment card transactions.

Payment Gateway
An e-commerce application service provider service that authorizes credit card payments

Payment Processor
A company, often third party, appointed by a merchant to handle credit card transactions for merchant acquiring banks.

PCI DSS COMPLIANCE
The Payment Card Industry Data Security Standard (PCI DSS) is mandated set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions and protect cardholder against misuse of their personal information. 

Point of Sale (POS)
The location where a credit card transaction occurs through a terminal or register.

SaaS Survey
Middlebury Security and Compliance Survey
; required for all new Service Providers.

Self-Assessment Questionnaire (SAQ)
A validation tool to help merchants validate their compliance with PCI-DSS.

Service Provider
Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity.  This also includes companies that provide services that control or could impact the security of cardholder data.

Third Party
Credit card transactions are processed through an external party to Middlebury.  Software may or may not be owned by Middlebury. 

For a comprehensive list of definitions used by the PCI Security Standards Council please use the following link.  https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_v3.pdf

 

5.0 Policy

Access

Access to system components and cardholder data must be restricted to only those individuals whose job requires such access, and only to the level of access required.  Access to the processing facilities (Gift Administration and Cashiers Office, excluding POS systems) and Data Center(s) is physically secured.  Sufficient controls are in place to identify individuals entering/exiting.

Access Control

Access to cardholder data environments and business processes are controlled on the basis of business and security requirements.

  • Only those staff or authorized third parties requiring access to cardholder data in the regular course of their duties are granted access to the cardholder data environment, including both physical and electronic records (ex. CyberSource). 
  • In assigning access privileges to cardholder data environments, Middlebury will adhere to the model of least privilege.  Separation of duties will be employed whenever feasible to limit the chance of unauthorized data modification cardholder data or other fraudulent activities.
  • Authorized users will have unique ID’s for access to all systems related to payment card processing, shared or group accounts are not permitted.
  • A User will be locked out of the cardholder data systems, for 30 minutes, after (6) failed login attempts.  Positive ID must occur prior to password reset.
  • Upon change in job or duties, user access to cardholder data environments will be evaluated and the model of least privilege will be utilized—access to cardholder data environment may be revoked if no longer required for job.
  • Upon termination of employment or relationship with Middlebury College, physical access to documents or other resources related to cardholder data is immediately prevented.  

Each department accepting credit cards will be required to complete an online annual Self-Assessment Questionnaire (SAQ).  The applicable processing type will determine the SAQ to be completed by each department.  Assistance in determining the appropriate SAQ Type will be provided.

 

Cardholder Data Handling, Retention and Disposal

**Middlebury does not store any cardholder data, in printed or electronic form**

Cardholder data is classified as Extremely Sensitive Data, see the Data Classification Policy at http://go.middlebury.edu/dcp.  Data can be in electronic or printed format, and may be transmitted and/or processed in the cardholder environment.  Middlebury’s cardholder environment includes all systems, applications, equipment, individuals, locations, and connections used for, and involved with, the transmittal, processing, and/or storage of cardholder data.  Appropriate facility entry controls must be used to limit and monitor physical access to systems in the cardholder data environment.  Middlebury does not store cardholder data in printed or electronic form.

Physical Handling of Cardholder Data

Cardholder data must not be accepted via email.  If an email is received containing cardholder data, a snapshot of the email header must be sent to the PCI Compliance Team at pcicomplianceteam@middlebury.edu for logging.  DO NOT FORWARD or PRINT the cardholder data.  Delete the email from Inbox and Deleted Items folder.  It is also necessary to delete it from the “Recover Deleted Items” folder.  Follow up with the constituent and advise of the appropriate methods of conveying a credit card payment.

Cardholder data must not be accepted via fax.  If a fax is received with cardholder data, immediately shred in a crosscut shredder.  Notify the PCI Compliance Team with the name, date, location the cardholder data was received.  Follow up with the constituent and advise of the appropriate methods of conveying a credit card payment.

Cardholder Data received for manual processing (mail, hand delivered) must be processed in a credit card merchant account (ex. CyberSource) the same day it is received if possible; **but absolutely no later than 1 business day (excluding calendar and fiscal year periods).  Upon successful entry into the Payment Processor; all cardholder data must be redacted from the documentation. 

Acceptable methods for cardholder data redaction are cross cut shredding or incineration.  Cardholder data must not be placed in Shredding Bins/Receptacles.  

Any cardholder data; number, expiration date and CSV code, that has not been processed through a credit card merchant account (ex. CyberSource) (pending entry in payment processor) shall be housed in a secure/locked location.  Only authorized staff shall have access to the keys/combination.  See User Authentication and Access Policy and Background Check Policy

The processing and storage of personally identifiable credit card or payment information on College computers and servers is prohibited.

The Primary Account Number (PAN) must be masked when displayed (the first six and last four digits are the maximum number of digits permitted to be displayed).  The three-digit card-validation code printed on the signature panel of a credit card is never stored in any form.  The full contents of any track from the magnetic stripe (on the back of a credit card, in a chip, etc.) are never stored in any form. 

Each department must maintain strict control over the internal and external distribution of any kind of media that contain cardholder data.  All media moved from a designated secure area (department the cardholder data is delivered to) must be marked confidential, documented on a triplicate copy media removal tracking log, and transported in a secure bag by Public Safety or a document service.  No media containing cardholder data may leave the premises of the department that accepted it for processing.  Materials sent to constituents, with a designated area for written cardholder data, to be returned to Middlebury must have the return address of the department that will process the cardholder data on the return vehicle.  Charitable donations, PASS, FOA, FOL etc...  Every effort should be made to eliminate the area for written card holder data on appeals, instead noting a secure means to make a credit card payment on a secure online forms, by check, or phone.   

Electronic Cardholder Data

See Cardholder Data Environment Hardware Security Policy for Network and Appendix D for CDE Architecture.

Retention & Disposal

Middlebury does not store/retain cardholder data in any form, therefore cardholder data is not subject to the Record Retention Policy, http://go.middlebury.edu/recordretention.  Inventory of stored cardholder is N/A.

Cardholder data in written form is redacted immediately following authorization in the payment gateway.  Acceptable forms of redaction are crosscut shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed.

Middlebury utilizes a programmatic process, to discover and remove, on a monthly basis, stored cardholder data.

Data Classification Policy, see http://go/middlebury.edu/dcp for data classification levels.  Cardholder data is classified as Extremely Sensitive Data

 

MDRP

Any department accepting credit card payments on behalf of Middlebury for gifts, goods, or services (“Merchant Department”) must designate an individual within that department who will have primary authority and responsibility for ecommerce and credit card transaction processing within that department, known as the MDRP.  MDRP responsibilities can be seen at http://go.middlebury.edu/MDRP .

Each Merchant Department must have a MDRP at all times.  It is the responsibility of the MDRP and the MDRP’s direct supervisor to ensure this role is filled.  The direct supervisor must record and track any change in MDRP’s.

MDRP Responsibilities include, but are not limited to, the following:

  •  Manage the Security Awareness Program, within the relevant Merchant Department, for all employees (including the MDRP), contractors, and agents, with access to payment card data.  The MDRP should submit all PCI Confidentiality Statements, upon request, to the PCI Compliance Team.  
  • Ensure that all credit card data collected by the relevant Merchant Department in the course of performing Middlebury business, regardless of how the payment card data is received is handled per the Cardholder Data Handling, Retention and Disposal Procedure outlined in this policy. 
  • Ensure that all credit card transactions are reviewed and reconciled to daily merchant reports.  Upload daily reconciliation reports to a shared Finance folder. 
  • Ensure only dedicated, approved hardware/software is utilized to process card payments.  Use of Cellular phones, iPad, and Tablet based payment processing is prohibited until such time as a formal standard is approved by the PCI SSC and adopted by the PCI Compliance Team.
  • Ensure all Point of Sale (POS) devices deploy anti-virus software.  Ensure all anti-virus mechanisms are current, actively running and generating audit logs.  Retain audit trail history for a minimum of one year.      
  • Ensure all POS devices are updated and patched with the latest vendor supplied security patches on a weekly basis.
  • Ensure Point of Sale devices are physically secured.  Inspect Point of Sale devices on a weekly basis, for tampering or substitution.  Non-production systems must be secured in a locked facility and regularly inventoried.  Retain inspection log for a minimum of one year.  
  • Verify and collect PCI DSS AOC Compliance Certificate and/or PA-DSS Validation certificate (POS systems) on all service providers within the relevant Merchant Department on an annual basis.  The MDRP should retain a copy of the certificates and submit a copy to the PCI DSS Compliance Operations Team upon receipt.  
  • Initiate process to implement new payment solutions or Service Provider change, see Merchant Account Request below. 
  • Ensure user access is revoked to cardholder data environment, within the relevant Merchant Department when the individual’s job no longer requires access to the CDE.  Maintain a quarterly audit log of user access to cardholder data environment one year. 
  • The MDRP is responsible for initiating the process in the event of a security breach, see Security Breach Response below.

Merchant Account Request

The MDRP must follow the process noted in Appendix A:  Checklist for Process for Merchant Account Request or Service Provider Change, Appendix B: Merchant Account Request Form or Service Provider Change and Appendix C:  PROJECT PLAN (PCI Related), located at the end of this policy, to implement payment card processing and ecommerce at Middlebury.  These steps must also be completed in the event of a significant system or Service Provider change in payment card and ecommerce processing systems.

Security Awareness Program

This Security Awareness Policy details the requirements for the Security Awareness Training of users with physical and logical access to Middlebury’s cardholder data environment for Payment Card Industry (PCI) compliance.  All persons with physical and logical access to Middlebury’s environment, whether employees, third-parties, service providers, contractors, temporary employees, and/or other staff members, must be trained on their role in protecting Middlebury from threats to help safeguard Middlebury’s finances, operations, and brand name.

Upon hire and at least annually, all users connected to Middlebury’s cardholder data environment (in any way), are to complete the PCI DSS Computer Based Training Program.  The CBT consists of a Security Awareness Video, the PCI Policy, and a PCI Policy Confidentiality Statement to be electronically signed by all agents.

All agents of the College must read and electronically sign the Confidentiality agreement in agreement with Middlebury’s terms and conditions and acknowledgment of their role in safeguarding Middlebury’s environment on an annual basis.  This should also occur when the security refresher training is provided.

Refresher Training

All users, for the entire length of time they are, or remain, connected to Middlebury’s environment, must receive security awareness training on at least an annual basis.  This training may be provided to all users at one time, or may be staggered to take place on an annual basis from the user’s first day of employment or access granted.  Training may occur in-person or via a computer-based training (CBT) format.  Multiple avenues of training

Logs

Attendance logs for those who attend security awareness training, both, provided upon hire and annually, must be kept by the MDRP and provided to the PCI Compliance Team upon request.  Exceptions must be communicated to the user’s manager with a defined period of time that the user must take the training.  Should the user not take the refresher training within that period, they are to be found in violation of this policy.

Security Awareness Vehicles

Supporting vehicles for promoting security awareness are to be maintained throughout the year.  These can include newsletter articles, posters, email reminders, and messages acknowledged upon user login.

Technical Training

In addition to the above, those who have admin or privileged access or roles with systems which transmit, process, and store cardholder data must receive additional technical training to further reinforce and supplement their knowledge of security practices.

Background Check Policy – see http://go.middlebury.edu/backgroundcheck

Security Breach Response

In the event of a breach or suspected breach of security, the Merchant Department must immediately execute each of the relevant steps detailed below:

  1. The MDRP or any individual suspecting a security breach must immediately notify the Incident Response Team at infosec@middlebury.edu, in accordance with the Technical Incident Response Policy, http://go.middlebury.edu/tirp, of an actual breach or suspected breach of credit card information.  Email should be used for the initial notification and to provide a telephone number for the Incident Response Team to respond to.  Details of the breach should not be disclosed in email correspondence.
  2. The MDRP or any individual suspecting a security breach involving ecommerce also must immediately ensure that the following steps, where relevant, are taken to contain and limit the exposure of the breach:
    • Prevent any further access to or alteration of the compromised system(s).  (i.e., do not log on at all to the machine and/or change passwords)
    • Do not switch off the compromised machine; instead, isolate the compromised system(s) from the network by unplugging the network connection cable.
    • Preserve logs and electronic evidence.
    • Log all actions taken.
    • Document all conditions, personnel, and events around system at time of and leading up to suspected breach.
    • Be on HIGH alert and monitor all ecommerce applications.

Shared Hosting & Service Provider Management

Third parties, with whom cardholder data is shared, are contractually required to adhere to the PCI DSS requirements and to acknowledge that they are responsible for the security of the cardholder data which they process.  Only the minimum amount of data needed to complete the transaction will be shared with a 3rd party.  All interaction must be documented and logged.

A current and comprehensive list of Service Providers must be maintained.  See Z:\Controllers Office\PCI Compliance\Vendor; Service Provider documentation for list of providers.  The spreadsheet will contain the following information:

  • Service Provider Name
  • Service being provided-description:
  • PCI Validation Required:
  • Validation Date
  • Expiration Date
  • Assessor
  • Functional Area

Written agreement, with Service Providers, includes an acknowledgement by the service providers of their responsibility for securing cardholder data.  See the Contract Policy, http://go.middlebury.edu/contractpolicy for Data Privacy and Breach Notification language required in all contracts pertaining to cardholder data.

Verify that policies and procedures are documented and were followed including proper due diligence prior to engaging any service provider.

 

**Note, SAQ for Merchant’s will not be accepted as proof of compliance.  All Service Providers must complete either an SAQ D AOC or an On-Site Assessment AOC for Service Providers.  

PCI Requirements Reference

2.6 Shared hosting providers must protect each entity’s hosted environment and cardholder data. 

3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all CHD storage

3.2 Do not store sensitive authentication data after authorization (even if encrypted).  If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process.

3.3 Mask PAN when displayed

7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.

9.5 Physically secure all media

9.6 Maintain strict control over the internal and external distribution of any kind of media

9.7 Properly maintain inventory logs of all media and conduct media inventories at least annually

9.8 Destroy media when it is no longer needed for business or legal reasons

9.8 Shred, incinerate, or pulp hard-copy materials so that cardholder data cannot be reconstructed.  Secure storage containers used for materials that are to be destroyed.

9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

9.10 Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties.

12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.

12.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources.

12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data

12.9 Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

12.10 Implement an incident response plan.  Be prepared to respond immediately to a system breach.

Distribution

This policy is to be distributed to all agents of the College involved with the cardholder data environment, to include Middlebury employees, third-parties, service providers, contractors, temporary employees, and/or other staff members.

The most current version of this policy is to be readily available and accessible http://go.middlebury.edu/handbook

Exceptions

There are no exceptions to this policy. 

Violations

Individuals found to have violated this policy, whether intentionally or unintentionally, may be subject to disciplinary action and possible termination of employment.

Review Schedule

The next scheduled review date is July 2015 by the PCI Compliance Team, to be approved by the VP for Finance & Treasurer.


 

Appendices

 

Appendix A:  Checklist for Process for Merchant Account Request or Service Provider Change

Appendix B:  Merchant Account Request Form or Service Provider Change

Appendix C:  PROJECT PLAN (PCI Related)

Appendix D: Architecture Standards for PCI DSS Compliance

Related Documents/Links

  • For a list of validated Payment Applications see

https://www.pcisecuritystandards.org/approved_companies_providers/vpa_agreement.php .  

 


 

Appendix A:  Checklist for Process for Merchant Account Request or Service Provider Change

 

SUBMIT TO THE PCI COMPLIANCE Team @ PCIComplianceTeam@middlebury.edu  

 

PROJECT NAME:       

 

 

A Contract, that includes payment card processing, must not be signed without approval from the PCI Compliance Team and in adherence to the College Contract Policy. 

 

  1. ____ Functional area determines a need for a credit card/ecommerce account or new Service Provider for an existing process/merchant account.  
  2. ____ Functional area sends the Service Provider the SaaS and Compliance Survey to complete.  Service Provider must provide a firewall configuration document showing the requested firewall, ports, and IP’s configuration.  Network Security submits findings to PCI Compliance Team. 
  3. ____ PCI Compliance Team gives conditional approval for the new application and then sends Project Plan to Information Technology Services for review and priority.   
  4. ____ Information Technology Services department(s) sends approval/non-approval to the PCI Compliance Team for final Merchant Account/Information Technology Services Project Approval. 
  5. ____ Contract is approved in accordance with the College Contract Policy and includes the Data Privacy and Breach Notification clause. 
  6. ____ Functional area, PCI Compliance Team and Information Technology Services to collaborate on prioritization and scheduling of project implementation.
  7. ____ PCI Compliance Team works with the MDRP to administer PCI training for staff/students that will handle cardholder data.   
  8. ____ Functional area works with Finance to ensure the transactions are properly recorded in the general ledger and reconciliation reports are saved in the shared reconciliation file.
  9. ____ PCI Compliance Team to follow up with audits to ensure compliance with PCI policy. 

 

PCI Compliance Team Final Approval:

 

_____________________________________________         

 Finance Representative                               Date                         

 Kim Downs-Burns, AVP for Student Financial Services

______________________________________________

 Information Technology Services Representative                     Date             

Chris Norris, Director of Information Technology Services Security and Advanced Tech.


 


 

Appendix B: Merchant Account Request Form or Service Provider Change

 

SUBMIT TO THE PCI Compliance Team @ PCIComplianceTeam@middlebury.edu  

 

Date:             Requesting Department:                          Name:     

 

Title:              Email:                            Extension:      

 

Describe the goods, services, and/or gifts for which you will receive payments.  Please be specific:      

 

Is this an existing or new source of revenue?       

 

Provide the Banner FOAPAL(s) where funds will be deposited and related fees will be assessed:       

 

Explain why your department wants to accept credit card payments.       

 

What economic benefits do you expect to gain by accepting credit cards?  Please quantify and/or provide additional documentation to support this application.       

 

Describe the frequency of credit card payments.  Is this a one-time event?  Are payments for seasonal or year-round activity?  Provide detailed timeframes.       

 

Will credit card be the sole method of payment?  If not, what other methods of payment do you anticipate accepting for this specific purpose?       

 

How do you plan to process these payments?  (Check all that apply)

 

     In-person (card present)                                      Mail/phone                                Internet

 

*Note: Cardholder data should never be transmitted via email or fax correspondence.

 

If you are planning to accept credit card payments via the Internet, do you have a website?       

 

If so, please provide the URL:        

 

Please indicate the estimated annual dollar volume and number of transactions for each applicable credit card acceptance process:

 

In-person                            $                                     # transactions          

 

Mail/phone                        $                                     # transactions      

 

Internet                               $                                     # transactions      

 

 

Who will be the Merchant Department Responsible Person (MDRP)?  The MDRP, as referenced in the Middlebury (PCI) Policy for Accepting Credit Card and ecommerce Payments, is responsible for managing credit card and/or ecommerce transaction processing.  Include name, job title, phone extension, and describe duties.       

Please identify any additional staff who will be involved in processing credit card payments.  Include name, job title, phone extension, and describe duties.       

Will any other departments, software packages or outside Service Providers be involved in the processing of credit card payments?  If so, please identify all parties and describe their roles and responsibilities.       

Signatures:    

     __________________________           Employee ID:
            ,MDRP                                                   

 

Signatures:      

   __________________________           Employee ID:       

 

     , Budget Director                                 

                  

By signing this form, the Merchant Department Responsible Person acknowledges that he/she understands his/her role as outlined in the “Middlebury (PCI) Policy for Accepting Credit Card and ecommerce Payments” and accepts the responsibility of that role.

By signing this form, the Budget Director approves of the business case presented for the department to become a Merchant Department, the Banner information provided and the designated Merchant Department Responsible Person. 

 



Appendix C:  PROJECT PLAN (PCI Related)

SUBMIT TO THE PCI Compliance Team @ PCIComplianceTeam@middlebury.edu   

Name of the Project:

     

Functional Area:

     

Submitted by:

     

Date Submitted:

     

Proposed Start Date:

     

Proposed Completion Date:

     

Priority

      Critical        High        Medium       Low

VP of the Functional area: 

Are they aware of this project?

     

Sponsor:

(Functional Area Representative)

     

Functional Lead:

(if different from sponsor)

     

Technical Lead:

     

Project Manager:
(may be one of the above)

     

Stakeholders involved:

     

Service Provider Technical Contact:

     

Project Objective:

In just a sentence or two, what is the outcome we are trying to achieve – think outcome.

Project Scope:

Describe in detail the requirements of this project: 

  • Middlebury Owned Merchant Account or Service Provider Merchant Account?       
  • If Middlebury Merchant Account- is the Payment Processing Gateway CyberSource or Mercury?       
  • Will your project require Banner modification or enhancement?       
  • Will your project require a Web development?       
  • If this is a Point-of-Sales system, please provide PA DSS Validation from PCI SSC.
  • Provide firewall configuration document showing the requested firewall, ports, IP Configurations, server requirements (will Information Technology Services manage the server?).  
  • Will you need a network jack installed for the payment processing equipment?       
  • Who is responsible for the System Administration; management, administration, patching, operations (incl. anti-virus) of the system.       
  • Include reporting requirements.       
  • Have the stakeholders involved been consulted?       

Project timeline and key milestone (please note the latest acceptable completion date):

Project Justification:

  • Why are we doing this project?       
  • How hard will it be to support this on an on-going basis?       
  • Does it require deep technical knowledge?       
  • Will the solution grow with our needs?       
  • Does it help promote administrative efficiency?        
  • Will it remove complex paper-based processes?       
  • Does it keep us in compliance with the law or with campus policy?       
  • Can it help us recruit and retain the very best students?       
  • Can it help us raise money for the College more effectively?       
  • Will it increase revenue for the College?       

Costs (List all hardware, software, network, staff, facilities, and other costs):

 

SIGN OFF

Project Sponsor: _________________________________ Date: _____________________

This project specification is complete and accurate to the best of my understanding, and I authorize appropriate staff to begin development based upon this specification.

Project Team

Project Manager: _________________________________ Date: _____________________

Functional Lead(s): _______________________________ Date: _____________________

Technical Lead(s): ______________________­­__________ Date: _____________________



Appendix D: Architecture Standards for PCI DSS Compliance

There are a number of considerations for securing both systems and network architecture in respect to PCI DSS across the College campuses.  This section of the policy has been broken into three sections: core Infrastructure, systems and servers, and remote terminals.  Each of these components of the policy reflects how the respective infrastructure must be configured for monitoring, access, and network connectivity in relation to the larger Middlebury network.

Core Infrastructure:

  • Payment transactions will be isolated on a logically and physically isolated segment of the network.  This segment will be used exclusively for payment card and e Commerce transactions.
  • The PCI restricted network segment will only allow connections initiated from inside the secure segment or between the secure segment and 140.233.0.0/17.
  • Outbound traffic from the PCI network segments will be limited to appropriately.
  • HTTP traffic will be prohibited from the PCI segments.  HTTPS will be allowed on an as need basis.
  • The PCI segment will be monitored and segmented from the general Middlebury network by technology compliant with the PCI standard.
  • The PCI segment will be isolated from the campus wireless network and will be segmented off with appropriate ACL restrictions and firewall rule sets
  • No devices which provide wireless access will be allowed to connect to the network inside of the PCI segment.

Servers and Systems:

  • Work stations used for dual purposes, such as e commerce and general business applications should use an RDP session to connect to a secured system inside of the PCI network segment for the e commerce applications.
  • Vendor provided servers must be hardened and maintain a SLA that accounts for patch management and anti-virus solutions.  The MDRP is responsible for oversight in their area.
  • All e commerce servers and systems must maintain current and valid anti-virus software.  The MDRP is responsible for oversight in their area.
  • E Commerce servers and systems must be patched against current vulnerabilities and threats for both operating system and application vulnerabilities.  The MDRP is responsible for oversight in their area.  

Remote Terminals:

  • Only VeriFone or comparable approved PIN Acceptance Devices, https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php, may be used outside of the designated PCI segment of the network.  Use of any device outside of the PCI segment of the network requires approval from the PCI Compliance Team.
  • Use of Cellular phones, iPad, and Tablet based payment processing is prohibited until such time as a formal standard is approved by the PCI SSC and adopted by the PCI Compliance Team.

 

 



rev. 8/5/14