Middlebury PCI DSS – Policy for Accepting Credit Card and ecommerce Payments
Approved: October 2012 V1.0, Updated: September 2013 V1.1, Updated: August 2014 V1.2
3.0 Authority & Responsibility
Cardholder Data Handling, Retention and Disposal
Merchant Account Request
Security Awareness Program
Security Breach Response
Shared Hosting & Service Provider Management
Appendix A: Checklist for Process for Merchant Account Request or Service Provider Change
Appendix B: Merchant Account Request Form or Service Provider Change
Appendix C: PROJECT PLAN (PCI Related)
Appendix D: Architecture Standards for PCI DSS Compliance
The intent of this policy document is to guide the College in complying with the Payment Card Industry Data Security Standard (PCI DSS). This policy addresses the Standards that are contractually imposed by the major credit card brands on merchants that accept payment cards. These security requirements apply to all transactions surrounding the payment card industry whether electronically driven or hard copy format. Many departments and merchants on campus process credit card transactions in the course of daily business. As such, it is the intent of Middlebury through these policies to protect the privacy of our customers and maintain compliance with Payment Card Industry Data Security Standards (PCI DSS).
Any College employee, contractor, individual, entity (herein after referred to as agent), systems, and networks involved with the transmission, storage and/or processing of credit card numbers at Middlebury, in the course of doing business on behalf of the College, is subject to this policy, administrative and technical policies located in the College Handbook. Not all components of the requirements listed in this document are directly applicable to the individual Middlebury merchants, but are required to be attained by Middlebury as a whole.
It is the policy of Middlebury that only departments who have been approved may accept payment for goods or services via credit card. Failure to comply with the terms of these policies may result in disciplinary actions and could also limit a department’s credit card acceptance privileges. The PCI Compliance Team’s purpose is to educate all entities in the College’s payment environment and to enforce the PCI DSS Policies contained herein. Questions regarding this policy should be directed to the Middlebury PCI DSS Compliance Team.
The College may modify this policy from time to time and as required annually, provided that all modifications are consistent with current PCI DSS. The College PCI policy was approved by Patrick J. Norton, VP for Finance and Treasurer, October 16, 2012. The PCI Compliance Team is responsible for initiating and overseeing an annual review of this Policy, making appropriate revisions and updates and issuing the revised policy to appropriate Merchant Departments. This policy was updated on September 12, 2013, updated: August 11, 2014
CDE - Cardholder data environment
Area of computer system network that possesses cardholder data or sensitive authentication data and those systems and segments that directly attach or support cardholder processing, storage, or transmission.
CHD – Cardholder Data
Credit Card components that are required to be protected. These include: Primary Account Number, Cardholder Name, Expiration Date, Service Code, and Card Verification Code
The buying and selling of products or services over the Internet.
MDRP – Merchant Department Responsible Person
Any department accepting credit card payments on behalf of the College for gifts, goods, or services (“Merchant Department”) must designate an individual within that department who will have primary authority and responsibility for ecommerce and credit card transaction processing within that department.
Any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard, or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers.
A bank account that allows businesses to accept payments by payment cards. A merchant account is established under an agreement between an acceptor and a merchant acquiring bank for the settlement of payment card transactions.
An e-commerce application service provider service that authorizes credit card payments
A company, often third party, appointed by a merchant to handle credit card transactions for merchant acquiring banks.
PCI DSS COMPLIANCE
The Payment Card Industry Data Security Standard (PCI DSS) is mandated set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions and protect cardholder against misuse of their personal information.
Point of Sale (POS)
The location where a credit card transaction occurs through a terminal or register.
Middlebury Security and Compliance Survey; required for all new Service Providers.
Self-Assessment Questionnaire (SAQ)
A validation tool to help merchants validate their compliance with PCI-DSS.
Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data.
Credit card transactions are processed through an external party to Middlebury. Software may or may not be owned by Middlebury.
For a comprehensive list of definitions used by the PCI Security Standards Council please use the following link. https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_v3.pdf
Access to system components and cardholder data must be restricted to only those individuals whose job requires such access, and only to the level of access required. Access to the processing facilities (Gift Administration and Cashiers Office, excluding POS systems) and Data Center(s) is physically secured. Sufficient controls are in place to identify individuals entering/exiting.
Access to cardholder data environments and business processes are controlled on the basis of business and security requirements.
- Only those staff or authorized third parties requiring access to cardholder data in the regular course of their duties are granted access to the cardholder data environment, including both physical and electronic records (ex. CyberSource).
- In assigning access privileges to cardholder data environments, Middlebury will adhere to the model of least privilege. Separation of duties will be employed whenever feasible to limit the chance of unauthorized data modification cardholder data or other fraudulent activities.
- Authorized users will have unique ID’s for access to all systems related to payment card processing, shared or group accounts are not permitted.
- A User will be locked out of the cardholder data systems, for 30 minutes, after (6) failed login attempts. Positive ID must occur prior to password reset.
- Upon change in job or duties, user access to cardholder data environments will be evaluated and the model of least privilege will be utilized—access to cardholder data environment may be revoked if no longer required for job.
- Upon termination of employment or relationship with Middlebury College, physical access to documents or other resources related to cardholder data is immediately prevented.
Each department accepting credit cards will be required to complete an online annual Self-Assessment Questionnaire (SAQ). The applicable processing type will determine the SAQ to be completed by each department. Assistance in determining the appropriate SAQ Type will be provided.
**Middlebury does not store any cardholder data, in printed or electronic form**
Cardholder data is classified as Extremely Sensitive Data, see the Data Classification Policy at http://go.middlebury.edu/dcp. Data can be in electronic or printed format, and may be transmitted and/or processed in the cardholder environment. Middlebury’s cardholder environment includes all systems, applications, equipment, individuals, locations, and connections used for, and involved with, the transmittal, processing, and/or storage of cardholder data. Appropriate facility entry controls must be used to limit and monitor physical access to systems in the cardholder data environment. Middlebury does not store cardholder data in printed or electronic form.
Physical Handling of Cardholder Data
Cardholder data must not be accepted via email. If an email is received containing cardholder data, a snapshot of the email header must be sent to the PCI Compliance Team at email@example.com for logging. DO NOT FORWARD or PRINT the cardholder data. Delete the email from Inbox and Deleted Items folder. It is also necessary to delete it from the “Recover Deleted Items” folder. Follow up with the constituent and advise of the appropriate methods of conveying a credit card payment.
Cardholder data must not be accepted via fax. If a fax is received with cardholder data, immediately shred in a crosscut shredder. Notify the PCI Compliance Team with the name, date, location the cardholder data was received. Follow up with the constituent and advise of the appropriate methods of conveying a credit card payment.
Cardholder Data received for manual processing (mail, hand delivered) must be processed in a credit card merchant account (ex. CyberSource) the same day it is received if possible; **but absolutely no later than 1 business day (excluding calendar and fiscal year periods). Upon successful entry into the Payment Processor; all cardholder data must be redacted from the documentation.
Acceptable methods for cardholder data redaction are cross cut shredding or incineration. Cardholder data must not be placed in Shredding Bins/Receptacles.
Any cardholder data; number, expiration date and CSV code, that has not been processed through a credit card merchant account (ex. CyberSource) (pending entry in payment processor) shall be housed in a secure/locked location. Only authorized staff shall have access to the keys/combination. See User Authentication and Access Policy and Background Check Policy
The processing and storage of personally identifiable credit card or payment information on College computers and servers is prohibited.
The Primary Account Number (PAN) must be masked when displayed (the first six and last four digits are the maximum number of digits permitted to be displayed). The three-digit card-validation code printed on the signature panel of a credit card is never stored in any form. The full contents of any track from the magnetic stripe (on the back of a credit card, in a chip, etc.) are never stored in any form.
Each department must maintain strict control over the internal and external distribution of any kind of media that contain cardholder data. All media moved from a designated secure area (department the cardholder data is delivered to) must be marked confidential, documented on a triplicate copy media removal tracking log, and transported in a secure bag by Public Safety or a document service. No media containing cardholder data may leave the premises of the department that accepted it for processing. Materials sent to constituents, with a designated area for written cardholder data, to be returned to Middlebury must have the return address of the department that will process the cardholder data on the return vehicle. Charitable donations, PASS, FOA, FOL etc... Every effort should be made to eliminate the area for written card holder data on appeals, instead noting a secure means to make a credit card payment on a secure online forms, by check, or phone.
Electronic Cardholder Data
See Cardholder Data Environment Hardware Security Policy for Network and Appendix D for CDE Architecture.
Retention & Disposal
Middlebury does not store/retain cardholder data in any form, therefore cardholder data is not subject to the Record Retention Policy, http://go.middlebury.edu/recordretention. Inventory of stored cardholder is N/A.
Cardholder data in written form is redacted immediately following authorization in the payment gateway. Acceptable forms of redaction are crosscut shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed.
Middlebury utilizes a programmatic process, to discover and remove, on a monthly basis, stored cardholder data.
Data Classification Policy, see http://go/middlebury.edu/dcp for data classification levels. Cardholder data is classified as Extremely Sensitive Data.
Any department accepting credit card payments on behalf of Middlebury for gifts, goods, or services (“Merchant Department”) must designate an individual within that department who will have primary authority and responsibility for ecommerce and credit card transaction processing within that department, known as the MDRP. MDRP responsibilities can be seen at http://go.middlebury.edu/MDRP .
Each Merchant Department must have a MDRP at all times. It is the responsibility of the MDRP and the MDRP’s direct supervisor to ensure this role is filled. The direct supervisor must record and track any change in MDRP’s.
MDRP Responsibilities include, but are not limited to, the following:
- Manage the Security Awareness Program, within the relevant Merchant Department, for all employees (including the MDRP), contractors, and agents, with access to payment card data. The MDRP should submit all PCI Confidentiality Statements, upon request, to the PCI Compliance Team.
- Ensure that all credit card data collected by the relevant Merchant Department in the course of performing Middlebury business, regardless of how the payment card data is received is handled per the Cardholder Data Handling, Retention and Disposal Procedure outlined in this policy.
- Ensure that all credit card transactions are reviewed and reconciled to daily merchant reports. Upload daily reconciliation reports to a shared Finance folder.
- Ensure only dedicated, approved hardware/software is utilized to process card payments. Use of Cellular phones, iPad, and Tablet based payment processing is prohibited until such time as a formal standard is approved by the PCI SSC and adopted by the PCI Compliance Team.
- Ensure all Point of Sale (POS) devices deploy anti-virus software. Ensure all anti-virus mechanisms are current, actively running and generating audit logs. Retain audit trail history for a minimum of one year.
- Ensure all POS devices are updated and patched with the latest vendor supplied security patches on a weekly basis.
- Ensure Point of Sale devices are physically secured. Inspect Point of Sale devices on a weekly basis, for tampering or substitution. Non-production systems must be secured in a locked facility and regularly inventoried. Retain inspection log for a minimum of one year.
- Verify and collect PCI DSS AOC Compliance Certificate and/or PA-DSS Validation certificate (POS systems) on all service providers within the relevant Merchant Department on an annual basis. The MDRP should retain a copy of the certificates and submit a copy to the PCI DSS Compliance Operations Team upon receipt.
- Initiate process to implement new payment solutions or Service Provider change, see Merchant Account Request below.
- Ensure user access is revoked to cardholder data environment, within the relevant Merchant Department when the individual’s job no longer requires access to the CDE. Maintain a quarterly audit log of user access to cardholder data environment one year.
- The MDRP is responsible for initiating the process in the event of a security breach, see Security Breach Response below.
The MDRP must follow the process noted in Appendix A: Checklist for Process for Merchant Account Request or Service Provider Change, Appendix B: Merchant Account Request Form or Service Provider Change and Appendix C: PROJECT PLAN (PCI Related), located at the end of this policy, to implement payment card processing and ecommerce at Middlebury. These steps must also be completed in the event of a significant system or Service Provider change in payment card and ecommerce processing systems.
This Security Awareness Policy details the requirements for the Security Awareness Training of users with physical and logical access to Middlebury’s cardholder data environment for Payment Card Industry (PCI) compliance. All persons with physical and logical access to Middlebury’s environment, whether employees, third-parties, service providers, contractors, temporary employees, and/or other staff members, must be trained on their role in protecting Middlebury from threats to help safeguard Middlebury’s finances, operations, and brand name.
Upon hire and at least annually, all users connected to Middlebury’s cardholder data environment (in any way), are to complete the PCI DSS Computer Based Training Program. The CBT consists of a Security Awareness Video, the PCI Policy, and a PCI Policy Confidentiality Statement to be electronically signed by all agents.
All agents of the College must read and electronically sign the Confidentiality agreement in agreement with Middlebury’s terms and conditions and acknowledgment of their role in safeguarding Middlebury’s environment on an annual basis. This should also occur when the security refresher training is provided.
All users, for the entire length of time they are, or remain, connected to Middlebury’s environment, must receive security awareness training on at least an annual basis. This training may be provided to all users at one time, or may be staggered to take place on an annual basis from the user’s first day of employment or access granted. Training may occur in-person or via a computer-based training (CBT) format. Multiple avenues of training
Attendance logs for those who attend security awareness training, both, provided upon hire and annually, must be kept by the MDRP and provided to the PCI Compliance Team upon request. Exceptions must be communicated to the user’s manager with a defined period of time that the user must take the training. Should the user not take the refresher training within that period, they are to be found in violation of this policy.
Security Awareness Vehicles
Supporting vehicles for promoting security awareness are to be maintained throughout the year. These can include newsletter articles, posters, email reminders, and messages acknowledged upon user login.
In addition to the above, those who have admin or privileged access or roles with systems which transmit, process, and store cardholder data must receive additional technical training to further reinforce and supplement their knowledge of security practices.
Background Check Policy – see http://go.middlebury.edu/backgroundcheck
In the event of a breach or suspected breach of security, the Merchant Department must immediately execute each of the relevant steps detailed below:
- The MDRP or any individual suspecting a security breach must immediately notify the Incident Response Team at firstname.lastname@example.org, in accordance with the Technical Incident Response Policy, http://go.middlebury.edu/tirp, of an actual breach or suspected breach of credit card information. Email should be used for the initial notification and to provide a telephone number for the Incident Response Team to respond to. Details of the breach should not be disclosed in email correspondence.
- The MDRP or any individual suspecting a security breach involving ecommerce also must immediately ensure that the following steps, where relevant, are taken to contain and limit the exposure of the breach:
- Prevent any further access to or alteration of the compromised system(s). (i.e., do not log on at all to the machine and/or change passwords)
- Do not switch off the compromised machine; instead, isolate the compromised system(s) from the network by unplugging the network connection cable.
- Preserve logs and electronic evidence.
- Log all actions taken.
- Document all conditions, personnel, and events around system at time of and leading up to suspected breach.
- Be on HIGH alert and monitor all ecommerce applications.
Third parties, with whom cardholder data is shared, are contractually required to adhere to the PCI DSS requirements and to acknowledge that they are responsible for the security of the cardholder data which they process. Only the minimum amount of data needed to complete the transaction will be shared with a 3rd party. All interaction must be documented and logged.
A current and comprehensive list of Service Providers must be maintained. See Z:\Controllers Office\PCI Compliance\Vendor; Service Provider documentation for list of providers. The spreadsheet will contain the following information:
- Service Provider Name
- Service being provided-description:
- PCI Validation Required:
- Validation Date
- Expiration Date
- Functional Area
Written agreement, with Service Providers, includes an acknowledgement by the service providers of their responsibility for securing cardholder data. See the Contract Policy, http://go.middlebury.edu/contractpolicy for Data Privacy and Breach Notification language required in all contracts pertaining to cardholder data.
Verify that policies and procedures are documented and were followed including proper due diligence prior to engaging any service provider.
- Verify Service Provider on Visa Global Registry for Service Providers at http://www.visa.com/splisting/searchGrsp.do or The MasterCard Compliant Service Provider List at http://www.mastercard.com/us/company/en/docs/SP_Post_List.pdf .
- If Service Provider is not on the Visa Global Registry or The MasterCard Service Provider List, Service Provider must provide either an SAQ D AOC or an On-Site Assessment AOC for Service Providers.
- Third-Party providers must provide either an SAQ D AOC or an On-Site Assessment AOC for Service Providers.
- Verify Payment Applications are validated on the PA DSS List of Validated Payment Applications at https://www.pcisecuritystandards.org/approved_companies_providers/vpa_agreement.php .
**Note, SAQ for Merchant’s will not be accepted as proof of compliance. All Service Providers must complete either an SAQ D AOC or an On-Site Assessment AOC for Service Providers.
PCI Requirements Reference
2.6 Shared hosting providers must protect each entity’s hosted environment and cardholder data.
3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all CHD storage
3.2 Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process.
3.3 Mask PAN when displayed
7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.
9.5 Physically secure all media
9.6 Maintain strict control over the internal and external distribution of any kind of media
9.7 Properly maintain inventory logs of all media and conduct media inventories at least annually
9.8 Destroy media when it is no longer needed for business or legal reasons
9.8 Shred, incinerate, or pulp hard-copy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed.
9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
9.10 Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties.
12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.
12.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources.
12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data
12.9 Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
12.10 Implement an incident response plan. Be prepared to respond immediately to a system breach.
This policy is to be distributed to all agents of the College involved with the cardholder data environment, to include Middlebury employees, third-parties, service providers, contractors, temporary employees, and/or other staff members.
The most current version of this policy is to be readily available and accessible http://go.middlebury.edu/handbook
There are no exceptions to this policy.
Individuals found to have violated this policy, whether intentionally or unintentionally, may be subject to disciplinary action and possible termination of employment.
The next scheduled review date is July 2015 by the PCI Compliance Team, to be approved by the VP for Finance & Treasurer.
Appendix A: Checklist for Process for Merchant Account Request or Service Provider Change
Appendix B: Merchant Account Request Form or Service Provider Change
Appendix C: PROJECT PLAN (PCI Related)
Appendix D: Architecture Standards for PCI DSS Compliance
- Middlebury PCI DSS Information Pages http://go.middlebury.edu/pcidss
- Middlebury’s PCI DSS Policy for Accepting Credit Card and ecommerce Payments http://go.middlebury.edu/pcipolicy
- PCI Compliance Team http://go.middlebury.edu/pcicomplianceteam
- Merchant Request Form and Service Provider Change http://go.middlebury.edu/pcidss
- The Background Check Policy http://go.middlebury.edu/backgroundcheck
- The Data Classification Policy http://go.middlebury.edu/dcp
- The Password Policy http://go.middlebury.edu/passwordpolicy
- The Technology Incident Response Policy http://go.middlebury.edu/tirp
- The web site for the PCI DSS Security Standards Council https://www.pcisecuritystandards.org/
- PCI DSS Overview https://www.pcisecuritystandards.org/security_standards/index.php
- PCI DSS Self-Assessment Questionnaire Overview and instructions https://www.pcisecuritystandards.org/merchants/self_assessment_form.php
- For a list of Visa validated service providers see http://usa.visa.com/merchants/risk_management/cisp_service_providers.html .
- For a list of validated Payment Applications see
A Contract, that includes payment card processing, must not be signed without approval from the PCI Compliance Team and in adherence to the College Contract Policy.
- ____ Functional area determines a need for a credit card/ecommerce account or new Service Provider for an existing process/merchant account.
- ____ Functional area sends the Service Provider the SaaS and Compliance Survey to complete. Service Provider must provide a firewall configuration document showing the requested firewall, ports, and IP’s configuration. Network Security submits findings to PCI Compliance Team.
- ____ PCI Compliance Team gives conditional approval for the new application and then sends Project Plan to Information Technology Services for review and priority.
- ____ Information Technology Services department(s) sends approval/non-approval to the PCI Compliance Team for final Merchant Account/Information Technology Services Project Approval.
- ____ Contract is approved in accordance with the College Contract Policy and includes the Data Privacy and Breach Notification clause.
- ____ Functional area, PCI Compliance Team and Information Technology Services to collaborate on prioritization and scheduling of project implementation.
- ____ PCI Compliance Team works with the MDRP to administer PCI training for staff/students that will handle cardholder data.
- ____ Functional area works with Finance to ensure the transactions are properly recorded in the general ledger and reconciliation reports are saved in the shared reconciliation file.
- ____ PCI Compliance Team to follow up with audits to ensure compliance with PCI policy.
PCI Compliance Team Final Approval:
Finance Representative Date
Kim Downs-Burns, AVP for Student Financial Services
Information Technology Services Representative Date
Chris Norris, Director of Information Technology Services Security and Advanced Tech.
SUBMIT TO THE PCI Compliance Team @ PCIComplianceTeam@middlebury.edu
Date: Requesting Department: Name:
Title: Email: Extension:
Describe the goods, services, and/or gifts for which you will receive payments. Please be specific:
Is this an existing or new source of revenue?
Provide the Banner FOAPAL(s) where funds will be deposited and related fees will be assessed:
Explain why your department wants to accept credit card payments.
What economic benefits do you expect to gain by accepting credit cards? Please quantify and/or provide additional documentation to support this application.
Describe the frequency of credit card payments. Is this a one-time event? Are payments for seasonal or year-round activity? Provide detailed timeframes.
Will credit card be the sole method of payment? If not, what other methods of payment do you anticipate accepting for this specific purpose?
How do you plan to process these payments? (Check all that apply)
In-person (card present) Mail/phone Internet
*Note: Cardholder data should never be transmitted via email or fax correspondence.
If you are planning to accept credit card payments via the Internet, do you have a website?
If so, please provide the URL:
Please indicate the estimated annual dollar volume and number of transactions for each applicable credit card acceptance process:
In-person $ # transactions
Mail/phone $ # transactions
Internet $ # transactions
Who will be the Merchant Department Responsible Person (MDRP)? The MDRP, as referenced in the Middlebury (PCI) Policy for Accepting Credit Card and ecommerce Payments, is responsible for managing credit card and/or ecommerce transaction processing. Include name, job title, phone extension, and describe duties.
Please identify any additional staff who will be involved in processing credit card payments. Include name, job title, phone extension, and describe duties.
Will any other departments, software packages or outside Service Providers be involved in the processing of credit card payments? If so, please identify all parties and describe their roles and responsibilities.
__________________________ Employee ID:
__________________________ Employee ID:
, Budget Director
By signing this form, the Merchant Department Responsible Person acknowledges that he/she understands his/her role as outlined in the “Middlebury (PCI) Policy for Accepting Credit Card and ecommerce Payments” and accepts the responsibility of that role.
By signing this form, the Budget Director approves of the business case presented for the department to become a Merchant Department, the Banner information provided and the designated Merchant Department Responsible Person.
SUBMIT TO THE PCI Compliance Team @ PCIComplianceTeam@middlebury.edu
Name of the Project:
Proposed Start Date:
Proposed Completion Date:
Critical High Medium Low
VP of the Functional area:
Are they aware of this project?
(Functional Area Representative)
(if different from sponsor)
Service Provider Technical Contact:
In just a sentence or two, what is the outcome we are trying to achieve – think outcome.
Describe in detail the requirements of this project:
- Middlebury Owned Merchant Account or Service Provider Merchant Account?
- If Middlebury Merchant Account- is the Payment Processing Gateway CyberSource or Mercury?
- Will your project require Banner modification or enhancement?
- Will your project require a Web development?
- If this is a Point-of-Sales system, please provide PA DSS Validation from PCI SSC.
- Provide firewall configuration document showing the requested firewall, ports, IP Configurations, server requirements (will Information Technology Services manage the server?).
- Will you need a network jack installed for the payment processing equipment?
- Who is responsible for the System Administration; management, administration, patching, operations (incl. anti-virus) of the system.
- Include reporting requirements.
- Have the stakeholders involved been consulted?
Project timeline and key milestone (please note the latest acceptable completion date):
- Why are we doing this project?
- How hard will it be to support this on an on-going basis?
- Does it require deep technical knowledge?
- Will the solution grow with our needs?
- Does it help promote administrative efficiency?
- Will it remove complex paper-based processes?
- Does it keep us in compliance with the law or with campus policy?
- Can it help us recruit and retain the very best students?
- Can it help us raise money for the College more effectively?
- Will it increase revenue for the College?
Costs (List all hardware, software, network, staff, facilities, and other costs):
Project Sponsor: _________________________________ Date: _____________________
This project specification is complete and accurate to the best of my understanding, and I authorize appropriate staff to begin development based upon this specification.
Project Manager: _________________________________ Date: _____________________
Functional Lead(s): _______________________________ Date: _____________________
Technical Lead(s): ________________________________ Date: _____________________
There are a number of considerations for securing both systems and network architecture in respect to PCI DSS across the College campuses. This section of the policy has been broken into three sections: core Infrastructure, systems and servers, and remote terminals. Each of these components of the policy reflects how the respective infrastructure must be configured for monitoring, access, and network connectivity in relation to the larger Middlebury network.
- Payment transactions will be isolated on a logically and physically isolated segment of the network. This segment will be used exclusively for payment card and e Commerce transactions.
- The PCI restricted network segment will only allow connections initiated from inside the secure segment or between the secure segment and 126.96.36.199/17.
- Outbound traffic from the PCI network segments will be limited to appropriately.
- HTTP traffic will be prohibited from the PCI segments. HTTPS will be allowed on an as need basis.
- The PCI segment will be monitored and segmented from the general Middlebury network by technology compliant with the PCI standard.
- The PCI segment will be isolated from the campus wireless network and will be segmented off with appropriate ACL restrictions and firewall rule sets
- No devices which provide wireless access will be allowed to connect to the network inside of the PCI segment.
Servers and Systems:
- Work stations used for dual purposes, such as e commerce and general business applications should use an RDP session to connect to a secured system inside of the PCI network segment for the e commerce applications.
- Vendor provided servers must be hardened and maintain a SLA that accounts for patch management and anti-virus solutions. The MDRP is responsible for oversight in their area.
- All e commerce servers and systems must maintain current and valid anti-virus software. The MDRP is responsible for oversight in their area.
- E Commerce servers and systems must be patched against current vulnerabilities and threats for both operating system and application vulnerabilities. The MDRP is responsible for oversight in their area.
- Only VeriFone or comparable approved PIN Acceptance Devices, https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php, may be used outside of the designated PCI segment of the network. Use of any device outside of the PCI segment of the network requires approval from the PCI Compliance Team.
- Use of Cellular phones, iPad, and Tablet based payment processing is prohibited until such time as a formal standard is approved by the PCI SSC and adopted by the PCI Compliance Team.