Payment Card Industry - Data Security Standard (PCI-DSS)

Transcription

1 Payment Card Industry - Data Security Standard (PCI-DSS) Tills Security Standard (SAQ P2PE) Version March 2018 University of Leeds 2018 The intellectual property contained within this publication is the property of the University of Leeds. This publication (including its text and illustrations) is protected by copyright. Any unauthorised projection, editing, copying, reselling, rental or distribution of the whole or part of this publication in whatever form (including electronic and magnetic forms) is prohibited. [Any breach of this prohibition may render you liable to both civil proceedings and criminal penalties].

2 Document Ownership and Management Policy Author Kevin Darley, IT Assurance Team (PCI-DSS Internal Security Assessor [ISA]) Policy Owner Jane Madeley, Chief Financial Officer The audience of this document should be aware that a physical copy may not be the latest available version. The latest version, which supersedes all previous versions, is available at Those to whom this Policy applies are responsible for familiarising themselves periodically with the latest version and for complying with Policy requirements at all times. Version Number Date Circulation Changes March 2018 PCI-DSS Stakeholders and staff associated with the tills payment stream of the University s CDE. New document to incorporate requirements from Finance Standard, Management Standard, Systems Security Standard, Operational Security Standard and Training Standard and to align to PCI-DSS P2PE. For information in alternative formats (for example, in Braille, large print or an electronic format), please cybersecurity@leeds.ac.uk. You can also contact us via the IT Service Desk on telephone number Tills Security Standard Version Page 2 of 6

3 1. Introduction This Standard defines the requirements for maintaining the security of all credit and debit card payments processed through tills by the University, in accordance with the Payment Card Industry Data Security Standard (PCI-DSS) (the Standard). All staff associated with the management and operation of tills including anyone who processes card payments even on a temporary basis, must adhere to this Standard and comply with the University s PCI-DSS Security Policy. This Standard will be reviewed annually as a minimum and updated where necessary in accordance with the Standard. Prior to each publication, it will be audited and signed off by an independent University Internal Security Assessor (ISA) or a commissioned Qualified Security Assessor (QSA) Management and Operation of Tills 2.1 The Catering Services Manager is ultimately responsible for ensuring that tills are managed and operated in accordance with this Standard and is required to complete an annual certificate of internal compliance to confirm that the requirements of this Standard and the University s PCI- DSS Information Security Policy are being fully met. 2.2 Only till solutions which are listed on the Payment Card Industry Security Standards Council website as being an approved P2PE solution are to be used within the University s CDE and must be approved by the University IT Assurance Team prior to rental or purchase. 2.3 The University Catering Systems Manager is responsible for the deployment and management of University tills and for ensuring compliance with this Standard by till users. 2.4 In the event of a till no longer being required the associated merchant ID (MID) must be cancelled or reused. 2.5 By default University till receipts are to be masked (only showing the last 4 digits of the Primary Account Number [PAN]). 2.6 The University Catering Systems Manager is responsible for ensuring all controls in the P2PE instruction manual (PIM) are implemented prior to till installation and a record maintained. 2.7 Internal firewalls will be deployed to protect the University s tills. 2.8 Under no circumstances are tills to be attached to any wireless network. 2.9 All network sockets used for tills must be secured so that only the MAC address of an authorised till can connect to the given network port Till sockets must not be changed without verified instruction first being received from the Catering Services Manager. 1 ISAs and QSAs are qualified in PCI-DSS to the same level but an ISA can only assess their employer s own compliance programme. Tills Security Standard Version Page 3 of 6

4 2.11 The Catering Systems Manager and her assigned deputies may use authorised tools to support tills Third party remote access to the tills can only be enabled for authorised technical support staff using authorised tools. A comprehensive record of all remote support activity is to be fully maintained by the Catering Services Manager so as to be readily available to the PCI-DSS Incident Investigations Team. 3. SAQ P2PE Requirements 2 SAQ # PCI-DSS Implement Strong Access Control Measures University Operational Compliance Requirements 9.9 Devices that capture payment card data via direct physical interaction with the card must be protected from tampering and substitution An up-to-date list of devices must be maintained. The list should include the following: Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification Device surfaces must be periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device). 1. On each day a till is used staff are to carry out an inspection of it for signs of tampering. 2. A log of all inspections is to be maintained. 3. Any till user or supervisor who notices any anomaly of a till is to report the matter immediately to the IT Service Desk so that the matter can be investigated in accordance with the PCI-DSS Incident Standard. 4. An up-to-date list of tills must be maintained by the Catering Services Manager. The list should include the following: Make, model of tills; Location of tills (for example, the address of the site or facility where the tills are located); Till serial number or other method of unique identification; MAC address. 5. The first person using a till each working day is visually inspect it and sign a checklist provided confirming that there are no signs of tampering or substitution. 2 In the SAQ P2PE requirements below the word till refers to all components of the till, including the till PC, the Pin Entry Device (PED), PED cradle, and cabling. Tills Security Standard Version Page 4 of 6

5 9.9.3 Personnel are to be trained to be aware of attempted tampering or replacement of devices. Training should include the following: Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Do not install, replace, or return devices without verification. Be aware of suspicious behaviour around devices (for example, attempts by unknown persons to unplug or open devices). Report suspicious behaviour and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer) Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. 6. All till users will receive training in the use of the tills in including taking card payments. 7. All engineer visits to repair or maintain tills will be communicated in advance to till users by the Catering Systems Manager. Till users and supervisors are prohibited from allowing an engineer access to a till unless the Catering Systems Manager has verified the authenticity of engineer s attendance. 8. Tills must not be installed, replaced, or returned without the verification of the person requesting it and the authority of the Catering Systems Manager. 9. Any suspected tampering or suspected replacement of tills must be reported immediately to the IT Service Desk so that the matter can be investigated in accordance with the PCI-DSS Incident Standard. 10. Staff operating tills are to remain vigilant of suspicious behaviour and are to immediately report any such event to the IT Service Desk. 11. Only staff who have been trained in the secure operation of tills and who are authorised by a Catering Systems Manager are authorised to use them. SAQ # PCI-DSS Maintain an Information Security Policy University Operational Compliance Requirements A PCI-DSS Security Policy and PCI-DSS Security Standards which define information security responsibilities for all CDE personnel will be established, published, maintained annually, and disseminated. 12. See University PCI-DSS Security Policy and Standards Tills Security Standard Version Page 5 of 6

6 12.6 A formal security awareness program is implemented to make all personnel aware of the cardholder data security policy and procedures Implemented policies and procedures are maintained to manage service providers with whom cardholder data is shared, or which could affect the security of cardholder data An incident response plan will be implemented in the event of system breach. The plan addresses the following: Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum; Specific incident response procedures; Business recovery and continuity procedures; Data backup processes; Analysis of legal requirements for reporting compromises; Coverage and responses of all critical system components; and, Reference or inclusion of incident response procedures from the payment brands. 13. The University Catering Manager must complete annual training: PCI Core, PCI Taking Payments, PCI Using a PED, Guidance for Using a PED (Verifone). 14. All till users must complete annual training: Guidance for Using a PED (Verifone). 15. The University Treasury Team are responsible for engaging and managing service providers. 16. The University IT Assurance Team are responsible for monitoring service provider PCI-DSS compliance status. 17. See University PCI-DSS Incident Management Standard. Tills Security Standard Version Page 6 of 6