Overview

• Security Policies
• Security Framework
• Awareness & Education Topics
• Tools & Instructions

Incident Response

• What Is a Security Incident?
• Incident Response Protocol
• Data Breach Notification
• Copyright Complaint
• Harassment

Help & Support

• Technical Support
• Contact Information
• Technical Listservs
• Learning Opportunities

About Us

• Charter

Office of Information Technology (OIT) > Security Information for IT Professionals > Awareness and Education Topics > Credit Card Processing

Credit Card Processing

Below is information about credit card processing and the Payment Card Industry Data Security Standard (PCI-DSS).

Background

The Payment Card Industry (PCI) has created requirements for protecting payment card information, including information in computers which process and store credit card and other payment card information. These requirements became effective June 30, 2005 and the University must adhere to these standards to limit its liability and continue to process payments using payment cards.

Scope

All computers and electronic devices at the University of Minnesota involved in processing payment card data are impacted by the PCI Data Security Standard. This includes servers that store payment card numbers, workstations that are used to enter payment card information into a central system (e.g., ordering tickets over the phone), and any computers through which the payment card information is transmitted.

The University and all units that process payment card data have a contractual obligation to adhere to the  PCI Data Security Standard (PCI-DSS). The Payment Card Compliance Office and the Office of Information Technology (OIT) are working with departments to assure compliance.

The following actions are required to meet the Payment Card Industry requirements.

For Servers

• Contact the Payment Card Compliance Office to notify them of new merchants or changes to credit card processing for existing merchants.  These must be approved by the Payment Card Compliance Office before changes are made to the credit card processing environment.
• Develop or update your network diagram to show all connections to the cardholder data environment.  Network and data flow diagrams should include virtual system components and document Intra-host data flows.  See example.
• Report servers to Payment Card Compliance Office and University Information Security using the Critical Server form. Include the merchant number in the software description area and the merchant manager as the Owner on the form.  Report all devices involved in credit card processing, such as production, test/development, backup servers, domain controllers, load balancers.
• Apply security settings to servers and other operating system platforms similar to the settings in the Basic Security Procedure (e.g., host based firewall, anti-virus software and auto updates for security patches) and the Enhanced Security Procedure (e.g., enhanced security configurations) of the University Policy Securing Private Data, Computers & Other Electronic Devices. This includes installing Antivirus software with Anti-spyware and adware software.
• Review what software is running on the computer and remove software not needed.  Each open port must have a valid business reason. Complete the Firewall Security Policy/Rules Worksheet below and send to University Information Security to begin the process of setting up the secure credit card vlan.
• All servers involved in credit card processing need to be in a secure credit card vlan.  OIT Security will work with your area to set this up.  The Firewall Security Policy/Rules Worksheet will be used to determine the secure vlan policy for your servers.  See below for servers using an approved redirect product.
• See University Policy Securing Private Data, Computers & Other Electronic Devices for additional steps.
• Internal vulnerability scan will be run on a regular basis using the Qualys internal scanner. Technical contacts are expected to review the scan results and fix or take steps to mitigate the risk.  Technical contacts should fix or mitigate the risk on confirmed level 4 or 5 vulnerabilities or vulnerabilities marked with a PCI FAIL status and re-scan to determine if the issue is fixed.  If you have taken other steps to mitigate the risk, document what has been done or the compensating control used in a Qualys remediation ticket.  If the vulnerability is a false positive, send supporting documentation (including the Qualys Ticket Remediation #, IP address) with subject PCI Internal Scan False Positive Request to University Information Security for review.  Once a quarter, run the Qualys PCI Scan Report for Internal Scan and provide a copy of this report to the merchant manager. See Qualys Scanning for PCI Devices (PDF) for more information.
• External scans by an approved PCI scan vendor are required to be run on a regular basis. Technical contacts are expected to review the results and fix or take steps to mitigate the actual or potential high risk vulnerabilities identified on the scan report.  Documentation on false positives or information on the other steps taken to mitigate the risk must be sent to OIT Security.  The documentation of false positives will be reviewed by the approved PCI scan vendor.  Once a quarter, technical contacts should provide a copy of the external scan report to the merchant manager.  See below for servers using an approved redirect product.
• Penetration Testing  of the card holder data environment and all systems and networks connected to it will be conducted. The Payment Card Compliance Office will work with the Merchant Manager on the process.
• Review the PCI Data Security Standard (PCI-DSS) and work with your area to meet the requirements. The PCI-DSS requirements are control objectives that need to be met by all systems involved in credit card processing. 
• Complete the PCI Self-Assessment Questionnaire for your area.
• Fixed IP address or static DHCP must be used for computers involved in credit card processing.
• Use of wireless for credit card processing is not allowed without prior approval from the Payment Card Compliance Office.  For departments that must use wireless, see the PCI Self-Assessment Questionnaire for how to secure.
• Web servers must run SSLv3 with strong encryption enabled. SSLv2 must be disabled.

• Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuiteALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

For Apache/apache_ssl include the following line in the configuration file (httpsd.conf):

SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

• For Microsoft IIS, see How to disable SSLv2 on IIS : Microsoft Knowledge Base Article - 187498

• Use a secure deletion program to wipe the disk drive when terminating credit card processing.  The server will not be removed from the OIT Security Critical List until OIT Security has received verification that the disk and all back up media have been securely wiped using secure deletion software or physical destruction of the media.
• Servers using an approved redirect product do not need to be in a secure credit card vlan and do not need an external vulnerability scan by an approved PCI scan vendor.  Contact the Payment Card Compliance Office  for a list of approved redirect products.

For Desktops/Other Devices

• Contact the Payment Card Compliance Office to notify them of new merchants or changes to credit card processing for existing merchants.  These must be approved by the Payment Card Compliance Office before changes are made to the credit card processing environment.
• Develop or update your network diagram to show all connections to the cardholder data environment.  Network and data flow diagrams should include virtual system components and document Intra-host data flows.  See example.
• Report desktops/devices (including printers) to Payment Card Compliance Office and  University Information Security using the Critical Desktop Identification form (PDF or Word version). Include the merchant number in the Important software applications area and merchant manager as the Owner on the form.
• Apply security settings similar to the settings in the Basic Security Procedure (e.g., host based firewall, anti-virus software and auto updates for security patches) and the Enhanced Security Procedure (e.g., enhanced security configurations) of the University Policy Securing Private Data, Computers & Other Electronic Devices. This includes installing Antivirus software with Anti-spyware and adware software. This needs to be completed before the desktop/device is moved in the secure credit card vlan.
• Use the proxy to download operating system updates and anti-virus live updates. See How to use the Proxy.
• Review what software is running on the computer and remove software not needed.  General purpose web browsing and e-mail are not allowed. Each open port must have a valid business reason. Complete the Firewall Security Policy/Rules Worksheet below and send to University Information Security to begin the process of setting up a secure credit card vlan.
• All desktops/devices (including printers) involved in credit card processing need to be in a secure credit card vlan.  University Information Security will work with your area to set this up.  The Firewall Security Policy/Rules Worksheet will be used to determine the secure vlan policy for your desktop/device.
• If disk encryption is needed, use a product like Truecrypt for encrypting individual files.
• See University Policy Securing Private Data, Computers & Other Electronic Devices for additional steps.
• Vulnerability scans will be run on a regular basis. Technical contacts are expected to review the scan results and fix or take steps to mitigate the risk.  Technical contacts should fix or mitigate the risk on confirmed level 4 or 5 vulnerabilities or vulnerabilities marked with a PCI FAIL status and re-scan to determine if the issue is fixed. If you have taken other steps to mitigate the risk, document what has been done or the compensating control used in a Qualys remediation ticket. If the vulnerability is a false positive, send supporting documentation (including the Qualys Ticket Remediation #, IP address) with subject PCI Internal Scan False Positive Request to University Information Security for review.  See Qualys Scanning for PCI Devices (PDF) for more information on the process.  Once a quarter, run the Qualys PCI Scan Report for Internal Scan and provide a copy of this report to the merchant manager.
• External scans by an approved PCI scan vendor are required to be run on a regular basis. Technical contacts are expected to review the results and fix or take steps to mitigate the actual or potential high risk vulnerabilities identified on the scan report. Documentation on false positives or information on the other steps taken to mitigate the risk must be sent to University Information Security. The documentation of false positives will be reviewed by the approved PCI scan vendor. Once a quarter, technical contacts should provide a copy of the external scan report to the merchant manager.
• Penetration Testing  of the card holder data environment and all systems and networks connected to it will be conducted.  The Payment Card Compliance Office will work with the Merchant Manager on the process.
• Review the PCI Data Security Standard (PCI-DSS) and work with your area to meet the requirements. The PCI-DSS requirements are control objectives that need to be met by all systems involved in credit card processing.
• Complete the PCI Self-Assessment Questionnaire for your area.
• For desktops, use the operating system (e.g. Windows) built-in firewall.  If unable to use the built-in firewall, install a software firewall (e.g. ZoneAlarm, Symantec firewall,etc).
• Fixed IP address or static DHCP must be used for computers involved in credit card processing.
• Use of wireless for credit card processing is not allowed without prior approval from the Payment Card Compliance Office.  For departments that must use wireless, see the PCI Self-Assessment Questionnaire for how to secure.
• Use a secure deletion program to wipe the disk drive when terminating credit card processing.  The device will not be removed from the University Information Security Critical List until University Information Security has received verification that the disk and all back up media have been securely wiped using secure deletion software or physical destruction of the media.

Frequently Asked Questions

What form should be completed to set up a Firewall Security Policy (firewall rules) for servers and desktops/devices involved in credit card processing?

Complete one of the following forms:

• Firewall Security Policy/Rules Worksheet (PDF)
• Firewall Security Policy/Rules Worksheet (Excel spreadsheet)

Why do I need to complete a Firewall Security Policy/Rules Worksheet?

The Firewall Security Policy/Rules Worksheet documents the business reason for each open port and documents the IP addresses that can access the servers, desktops or devices protected by the secure credit card vlan. The Firewall Security Policy/Rules Worksheet is used to configure your secure credit card vlan.

When making firewall requests, you need to provide 6 pieces of information to University Information Security:

1. source IP/range
2. source port
3. destination IP/range
4. destination port
5. protocol (TCP/UDP)
6. Business reason for the change

When reporting connectivity problems you need to provide the following to University Information Security

1. source IP
2. destination IP
3. Type of traffic attempted (SSH connection, HTTP connection, etc)
4. Time/date of the attempt

If we are unable to diagnose the problem by looking at the logs for traffic that was denied, University Information Security can arrange to have the logging level turned up temporarily on the firewall to log all connections - connections that were allowed and connections that were denied.

Will admins be able to get the logs of connections blocked by the ACL's for the secure credit card vlan or FWSM's via syslog?

Not initially.

What group will be managing the ACL's and FWSM's for the secure credit card vlan?

OIT will have to approve all changes. Send change requests to University Information Security at abuse@umn.edu

Can I run my own firewall?

Yes, firewalls offer another layer of defense. ACLs will still be required.

Will the ACLs for the secure credit card vlan drop packets based on protocol?

Yes, but do not anticipate doing this.

Can other servers be put in the secure credit card vlan?

For management reasons, this will not allowed.

What traffic will be allowed for all vlans?

DNS to the two main nameservers and NTP will be allowed by default, as will ICMP traffic for network maintenance. Access will be allowed for University Information Security scanners.

What steps should be followed when decommissioning a device involved in credit card processing?

1. Securely wipe or physically destroy the hard drive
2. Email abuse@umn.edu (OIT Security) and pmtcard@umn.edu (University PCI Compliance/Controller's Office) the following:
   • IP address
   • Mac Address
   • Network Jack location of the device *
   • Reason for decommissioning (e.g, completed UM1705 form stating no longer processing)
   • Secure Data Deletion Process:
   •     Method used
   •     Date completed
   •     Completed by
   • Merchant Account #/Merchant Manager
   • FWSM Firewall Rule Change, if applicable
3. Update your PCI computer inventory and your network diagram
4. Update your Qualys asset group

* If the network jack will no longer be used for credit card processing, include the MID that University Information Security should transfer the jack to.

After receiving this information, University Information Security will work with you and the Controller's Office to complete the decommissioning process.

What are some tips on how to secure the Web browser?

• General purpose Web browsing and e-mail will not be allowed on desktops involved in credit card processing. However, since some people are entering credit card information via secure Web pages (i.e., YourPay or Authorize.Net), it makes sense to think about how to configure your Web browser securely.
• If possible, use Firefox instead of Internet Explorer.
• For Internet Explorer, it is recommended that the Internet zone be set to "High" security and that business sites (either specific URLs or wild cards such as https://*.yourpay.com ) be set up at medium security in the Trusted Zone. This will allow the business sites to function but help secure other sites. For more information on how to do this you can see Microsoft's step-by-step directions at the Internet Explorer Security Settings web page
• Firefox does not have the same concept of zones that Internet Explorer does but still has many useful features.Some recommended features are:
  • Check weekly for updates (should be turned on by default but good to check)
  • Allow cookies from the originating Web site only
  • Block popups and allow sites that need popups by using the allowed sites button
  • Do not have Firefox remember your passwords
  • When starting downloads have it open the download manager (this is also the default

 

Resources & Links

• See the PCI Security Standards Council web site for the following:
  • Payment Card Industry (PCI) Data Security Standard (PCI-DSS)
  • Understanding the Intent of the PCI Requirements (PDF) October 2010
  • PCI Self-Assessment Questionnaire
  • PCI Approved Scanning Vendors Program Guide for External Vulnerability Scans (PDF)

 

• University Policies: Accepting Revenue Via Payment Cards and Securing Private Data, Computers & Other Electronic Devices
• Encrypting Stored Data
• Penetration Testing Presentation (PDF) - Payment Card Compliance Office
• Secure Data Deletion
• Self Assessment Questionnaire (SAQ) Workshop Part II (PDF) (recorded UMConnect presentation)
• Information on Accepting Credit Cards - Payment Card Compliance Office
• Authorize.Net SIM Solution (PDF)- For e-commerce web sites
• Minnesota Law - Plastic Card Security Act