Payment Card Industry Data Security

1. POLICY

   Salt Lake Community College complies with established Payment Card Industry Data Security Standards (PCI DSS) when accepting payments by payment card. PCI DSS standards include requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. The following procedures establish internal controls for maintaining these standards.

2. REFERENCES

   Payment Card Industry Security Council – Current Data Security Standards.

3. DEFINITIONS

   1. Cardholder Data (CHD): data that contains the full card account number, expiration date, and cardholder name.

   2. Information Security Office (ISO): an office within the Office of Information Technology responsible for the security of sensitive data. ISO employees are designated as information security officers and assist college departments, safeguard data systems, and otherwise comply with data security standards and practices.

   3. Payment Card: a bank-issued debit or credit card (e.g., Visa, MasterCard, American Express, or Discover) and the college One-Card, including contactless payment apps such as Apple Pay.

   4. Payment Card Industry Data Security Standards (PCI DSS): standards established by the Payment Card Industry Security Standards Council. Any business or organization that accepts payment cards must comply with these standards.

   5. Payment Card Industry Security Team (PCI Team): a group of college employees responsible for compliance with payment card industry data security standards.

4. PROCEDURES

   1. General Procedures
      1. The college strictly forbids the storage of sensitive authentication data including the contents of the magnetic stripe, the card validation or security code and PIN, or block.
      2. The college prohibits the storage of cardholder data (CHD).
      3. Employees must not transmit CHD without an approved PCI policy compliant device or technology.Date of last cabinet review: November 7, 2023The originator of this policy & procedure is the Controller's Office. Questions regarding this policy may be directed to the originator by calling 801-957-4084.
      4. OIT is responsible for maintaining secure college networks, systems, and applications involving payment card transactions and monitoring and testing systems following the PCI data security standards.
      5. Vendors must provide documentation that the system or device complies with current PCI standards before a college department is authorized to use a service provider or third-party point-of-sale software system that accepts payment cards or uses a vendor's credit card reader device,
      6. Documentation must be submitted to the ISO before the system or device is used.
      7. Employees must report a suspected data security breach immediately to the PCI Team. The team is responsible for investigating and informing the vice president for Finance and Administration of any potential or confirmed data breaches.
   2. PCI Security Team
      1. The college must establish a PCI Team comprising, at minimum, a representative from the Controller's Office, the Chief Information Security Officer (CISO), the Information Security Officer (ISO), and bursar or bursar's designee.
      2. The team will be exclusively responsible for:
         1. implementing a security awareness program to educate all employees regarding the importance of cardholder data security;
         2. establishing, documenting and distributing security procedures and related updates;
         3. monitoring ongoing security compliance and making updates to the procedures as the environment changes;
         4. providing input and grant approval for the adoption of or changes in critical information technologies that could impact data security;
         5. being first responders in the event of a system breach; and analyzing security alerts, documenting, and coordinating security incident responses to ensure situations are handled in a timely and effective manner.
   3. PCI Data Security Procedures
      1. Network Diagrams
         1. OIT will create and access network diagrams.
         2. Network diagrams must be reviewed by OIT when there is a system change and at least annually to ensure that CHD is secure.
         3. Current, accurate network diagrams should be maintained by OIT to ensure that all the appropriate firewalls and segmentation are enforced.
      2. Third Party Software
         1. College departments that use third-party software must ensure that CHD is secure at every point as it is transmitted across college networks to outside networks.
         2. Any changes that occur with third-party software upgrades, changes in college devices, or relocation of college devices, must be documented by the bursar's office immediately.
      3. Password Protection and Vendor Defaults
         1. College system administrators and the bursar's office payment system specialist must always change, remove, or disable vendor-supplied defaults or accounts before installing the following on the college network:
            1. operating systems;
            2. software that provides security services;
            3. point-of-sale devices and terminals; and
            4. third-party payment application data security standard (PA-DSS) software.
         2. Wireless Networks (Wi-Fi)
            College departments must not use the college's wireless network for any PCIsystem that processes or transmits CHD.
      4. System-hardening
         All PCI system components must be configured according to industry-accepted system-hardening standards including:
         1. Center for Internet Security (CIS);
         2. International Organization for Standardization (ISO); and
         3. National Institute of Standards Technology (NIST).
      5. Approved Devices
         1. The bursar's office must approve all devices used to process CHD.
         2. Only mobile devices approved by the bursar's office can be used to process CHD.
         3. All mobile devices must have an automatic disconnect of the session after a designated period of inactivity, usually 30 minutes.
         4. Single Purpose Devices
            1. PCI devices such as desktops, web servers, database servers, and DNS servers must be configured by OIT to prevent operations that require different security levels from co-existing on the same device.
            2. Desktops with card processing software or web access to a third-party vendor must not have other programs or web-surfing capabilities. Only necessary services, protocols, daemons, etc. required for the system's function will be enabled.
      6. Secure Cryptography and Transport Layer Security (TLS)
         1. Additional security features for required services, protocols, or daemons, such as NetBIOS, file-sharing, Telnet, file transfer protocol (FTP), etc., must be secured with the most recent version of TLS.
         2. Secure shell (SSH), secure file transfer protocol (S-FTP), or internet protocol security virtual private network (IPsec VPN) are also allowed.
         3. Secure sockets layer (SSL) is not secure encryption.
      7. Preventing System Misuse
         1. All college systems components will have only the necessary configuration to support payment processing functionality.
         2. All unnecessary functions must be removed by OIT to prevent misuse and reduce risk to the PCI environment.
      8. Maintain System Component Inventory
         The bursar will keep an inventory of all PCI devices and components, including:
         1. hardware serial numbers, model names, and locations;
         2. IP addresses, DNS, VLANs, and operating systems;
         3. the purpose of the components; and
         4. the owners.
      9. CHD Retention and Storage
         1. CHD on Paper
            1. CHD taken by phone for payments must be processed immediately.
            2. Only the cardholder's name, address, card number, and expiration date should be put on paper.
            3. Once processed, the paper containing the CHD should be immediately destroyed using a crosscut shredder.
            4. The college forbids any other form of storage and acceptance of CHD by facsimile (fax) or email.
         2. Sensitive CHD
            1. All department points of contact shall sign an annual document which states they are not storing sensitive data.
            2. Sensitive authentication data, including CVV or CVC, PIN or PIN blocks, or full track data (from a magnetic stripe or a chip), must never be stored.
         3. CHD should never be recorded or stored anywhere digitally or physically including removable media or spreadsheets.
      10. Encrypt Transmission of CHD Across Open, Public Networks
          1. Strong cryptography and security protocols must be used to safeguard CHD during transmission over open, public networks.
          2. OIT only accepts trusted keys or certificates and employs industry best practices to implement strong encryption for wireless networks authenticating and transmitting CHD or connected to the CHD environment.
      11. Vulnerability Management
          1. The college uses anti-virus software on all applicable PCI devices, including those system types that are most affected by malicious software.
          2. OIT regularly evaluates all systems with anti-virus to ensure they can remove malware threats.
      12. Maintaining Anti-virus Mechanisms
          OIT updates anti-virus software to ensure that the anti-virus:
          1. is kept current;
          2. can be scanned;
          3. can be logged as per PCI DSS Requirement 10.7.; and
          4. has not been removed, altered, or disabled.
      13. Change Control Procedures
          1. To make changes to PCI equipment, departments must complete a request for change through the bursar's office and include all applicable documentation.
          2. When a security patch is applied, or there are software modifications, OIT and the bursar's office must coordinate to document and permanently retain:
             1. the impact of the change; and
             2. the approvals that are required from all parties.
          3. For any changes, the vendor must provide documentation to prove a PCI assessment that shows compliance after the change was made.
          4. All documentation changes should be sent to the bursar.
      14. Access Controls
          1. The college assigns a unique ID to each person with computer access.
          2. Only personnel with a legitimate business need may access CHD or other sensitive data.
          3. The bursar's office must create a list of roles according to the position and duties of an employee.
             1. The bursar's office must assign and document the level of access to each role.
             2. The bursar's office must assign each employee the least amount of privileges necessary to perform their duties.
          4. For automated systems and manual processes, access controls must be implemented by the bursar's office as soon as they are created.
             1. Every component must have the required access controls implemented.
             2. Department documentation must include:
                1. dates of creation and implementation of each access control;
                2. each component that requires access control; and
                3. a description of the access, which roles need the access, and the position within the role.
             3. Users must be informed regarding their degree of access and the required security responsibilities.
             4. Roles for access controls shall be reviewed when changes are made and at least annually.
             5. The bursar's office must approve documentation.
             6. All access control documentation shall be completed and maintained within the bursar's office.
          5. Departments will have risk assessments performed annually.
      15. Regularly Monitor and Test Networks
          OIT will:
          1. monitor and test networks;
          2. perform audits of individual access to CHD; and
          3. implement an audit trail.
      16. Regular Testing of Security Systems and Processes
          1. Internal and External Network Vulnerability Scans
             1. OIT will scan all third-party software system components or desktop computers that access a third-party vendor's hosted web service for processing payment cards weekly.
             2. Any discovered vulnerabilities will be remediated within 30 days.
             3. Scans will be rerun until all high-risk vulnerabilities are resolved.
             4. OIT must perform internal scans as patches and updates are made to their CHD environment.
             5. External Network Vulnerability Scans will be run quarterly on all public facing PCI systems.
          2. Penetration Testing
             1. A qualified internal or external entity designated by OIT will perform penetration testing on the applicable PCI systems.
             2. OIT will ensure that the designated entity uses testing methodology outlined in PCI DSS Requirement 11.3.
             3. Penetration testing will be completed by OIT whenever system changes have been made to the PCI environment and at least annually.
             4. System changes are defined as well documented, low risk, and proven
             5. Standard changes are done regularly according to industry best practice recommendations.
             6. Instances of a standard change to ‘primary systems' need to be submitted to and reviewed by OIT through Change Control Team Meeting before implementation.
             7. Instances of a standard change to ‘non-primary systems' need to be submitted to and reviewed by OIT through Change Control Team Meeting before implementation.
             8. Coordination activities can be done at the discretion of the Information Security Office.
          3. Change Classifications
             1. Minor Change: a change that has a low impact on the number of users affected or the service's criticality, a low risk of failure, and a required lead- time with change notification made through standard methods
                1. Minor changes are reviewed at the Change Control Team Meeting and approved by OIT.
                2. Coordination activities can be done at the discretion of the Information Security Office.
             2. Major Change: a change that has a significant impact on users or services, a high risk of failure, or is complex and requires multiple teams to implement. This change may also include new, high-profile applications used in production for the first time or changes to applications requiring a high degree of coordination between multiple organizations.
                1. Coordination activities can be done at the discretion of all the groups/individuals involved.
             3. Emergency Change: a change that must occur immediately to fix severe loss in service capability.
                1. Communication and updates will be performed through standard notification methods.
             4. Significant Change: a change that may include standard, minor, major, or emergency changes and is highly dependent on the configuration of a given environment.
                1. If an upgrade or modification could allow access to CHD or affect the security of the CHD environment, then it could be considered significant. Refer to Significant Change Requirements.
          4. Intrusion Detection
             1. OIT monitors all traffic and notifies departments of any suspected threats or compromises.
             2. Departments must respond immediately following notification of a suspected threat or compromise.
          5. Change Detection
             1. College-approved endpoint protection software must be used on all systems using third-party vendors to detect changes, additions, and deletions of critical system files, configuration files, or content files, including operating system programs and application executables.
             2. OIT monitors endpoint protection for alerts and unauthorized changes.
             3. When the third-party vendor does not support college-approved endpoint protection, documentation must be provided from the vendor that the system is security hardened and meets OIT requirements.
      17. Daily Operational Security Procedures
          1. Each department must maintain daily operational procedures to ensure that its operations are secure and meet each PCI Standard.
          2. Security procedures must:
             1. include all technical and administrative functions;
             2. be in place, and logs should be kept for user account additions, changes, and deletions.;
             3. be reviewed by employees at least annually.
          3. The bursar's office and OIT must date, document, and maintain any system changes or incidents.
      18. Usage Policies and Procedures
          1. OIT implements procedures that secure usage of remote access technologies, wireless technologies, removable electronic media, laptops, tablets, PDS's, email, fax, and internet.
          2. OIT's Procedures require, and departments must enforce, any third-party software or CHD system be authenticated by a user ID and password and two- factor authentication.
          3. OIT's Procedures include formal written authorization approving access to each CHD technology and documentation listing all devices and the employees that use each device.
          4. Documentation must be kept and updated.
          5. Vendors and third parties may have limited access to college systems.
             1. Prior arrangements should be made to allow access.
             2. Access should be granted for only the required amount of time.
             3. Departments must require the vendor or third party to use the college'stwo-factor authentication solution.
             4. The college must ensure through internal procedures that employees are informed that no CHD is be copied, moved, or stored on local hard drives and removable electronic media.
      19. Security Responsibilities for Personnel
          1. Security for each responsibility must be defined and distributed to employees.
          2. Documentation demonstrating that each employee understands their security responsibility shall be maintained and updated by the department.
      20. Assignment of Security Management Responsibilities
          1. The chief information security officer and the PCI Team share the responsibility of security management.
          2. The chief information security officer is responsible for establishing, documenting, and distributing security incident responses.
          3. The PCI Team is responsible for:
             1. establishing, documenting, and distributing security policies and procedures;
             2. suggesting policy updates when there is a change in procedure; and
             3. creating, maintaining, and executing escalation procedures and processes.
          4. Departments are responsible for:
             1. monitoring and controlling access to data;
             2. administering, adding, deleting, and modifying user access, and informing the bursar; and
             3. distributing security incident procedures to employees.
      21. Formal Security Awareness Program
          1. OIT provides formal training for every employee who has access to CHD.
          2. Departments must provide a list of employees with CHD access at least annually or when there is a new hire, change in duties, or termination.
          3. The bursar will send a notification to an employee when it is time for thatemployee's annual training.
          4. The bursar will maintain a database of employees authorized to access CHD and update it as employees complete training.
          5. The bursar will email updates to PCI information or changes in procedures to the employees in the database.
      22. Background Checks
          PCI DDS standards require background checks are performed on all college employees who have access to CHD.
      23. Incident Response Plan
          1. Departments must maintain an internal incident response plan to report incidents to the Controller's Office and the chief information security officer.
          2. Anyone who identifies an incident must immediately report it to the department manager or director.
          3. The director or manager must document events in a report and forward the report to the Controller's Office and the chief information security officer. The report must include:
             1. the date incident was found;
             2. the type of incident;
             3. how the department became aware of the incident; and
             4. whether or not the department disabled the breached device or system.

Date of last cabinet review: November 7, 2022

The originator of this policy & procedure is the Controller's Office. Questions regarding this policy may be directed to the originator by calling 801-957-4084.