2.1.3 CARDHOLDER DATA SECURITY

Transcription

1 University of Oxford Finance Division FINANCIAL POLICY CARDHOLDER DATA SECURITY Date: 27 June 2017 Version: 1.0 Status: Draft Author: Bridget Midwinter

2 TABLE OF CONTENTS Page Purpose... 3 Objectives... 3 Scope... 4 Roles and Responsibilities... 4 Compliance... 5 Review and Development... 5 Appendix I June 2017 Version 1.0 Page 2 of 6

3 Purpose This policy outlines the University s approach to managing the security of payment cardholder data and sensitive authentication data and provides the guiding principles and responsibilities to ensure the University complies with the Payment Card Industry Data Security Standard (PCI DSS). Refer to Appendix 1 for further information regarding PCI DSS. This policy should be read in conjunction with, the University s Information Security Policy and the Cardholder Data Security Rules as published on the University Finance Division website. Definition Wherever this policy refers to cardholder data this applies to both cardholder data and/or sensitive authentication data. Cardholder data is defined as including the Primary account number (PAN), cardholder name, expiry date, and security code. The PAN is the defining factor for cardholder data. If cardholder name, security code, and/or expiry date are stored, processed or transmitted with the PAN they must be treated as cardholder data. Sensitive authentication data is defined as: - Full track data (magnetic-stripe data or equivalent on a chip) - CAV2/CVC2/CVV2/CID - PINs/PIN blocks Objectives The University s objectives for securing cardholder data are that: All units 1 processing, transmitting or handling cardholder data on behalf of the University will be demonstrably compliant with the PCI DSS. Cardholder data will not be stored in electronic format on any system or system components that are managed and maintained by the University. Cardholder data will only be processed or transmitted in accordance with specific University handling rules and guidelines. Only technologies and services approved by the Finance Division will be used to store, process or transmit cardholder data on behalf of the University. All external parties that provide services that may affect the security of cardholder data will be approved by Finance Division and contractually bound to comply with the requirements of the PCI DSS. All individuals with access to cardholder data are aware and kept informed of their responsibilities in this respect. 1 Units in the context of this policy includes all academic divisions, departments, faculties, and other units, all service units, and all majority and wholly owned subsidiaries. 26 June 2017 Version 1.0 Page 3 of 6

4 Incidents that potentially affect the security of cardholder data are effectively managed and resolved, and learnt from, to improve our control environment and compliance. Scope This policy is applicable across the University and applies to: All units that process, transmit or handle any cardholder data on behalf of the University; Any units that may otherwise affect the security of cardholder data being processed on behalf of the University; External parties that provide services that may affect the security of cardholder data being processed on behalf of the University; and All majority and wholly owned University subsidiary companies that process, transmit or handle any cardholder data unless separate policies have been formally approved and adopted by the Boards of those companies and endorsed by Council s General Purposes Committee. Roles and Responsibilities The following bodies and individuals have specific responsibilities for cardholder data security: The Director of Finance is responsible for the security of cardholder data processed on behalf of the University and for the University s compliance with the PCI DSS; establishing and maintaining the University s strategy and framework for the security of cardholder data and sensitive authentication data, and compliance with the PCI DSS; establishing, maintaining and monitoring compliance against applicable PCI DSS requirements and cardholder data handling rules across the University; establishing, reviewing, maintaining and appropriately communicating all policies, processes and procedures relating to the security of cardholder data and compliance with the PCI DSS; and providing suitable guidance and support to departments regarding the handling of cardholder data. The Chief Information Security Officer is responsible for providing technical advice in relation to PCI DSS requirements; and 26 June 2017 Version 1.0 Page 4 of 6

5 maintaining the University s Information Security Policy as appropriate to reflect current PCI-DSS requirements. Heads of Departments and Faculty Board Chairs and their equivalents, and heads of University Services, are responsible for the effective implementation of this policy and for the security and compliance of cardholder data within their unit. Units may lose their Merchant ID and the ability to process payment cards if found to be non-compliant, and will be responsible for any costs that the University incurs as a result of any non-compliance. All staff handling cardholder data are required to comply with the terms of this policy, and to undertake relevant awareness training. Staff handling cardholder data are responsible for making informed decisions to protect the security of the data, and are accountable for maintaining compliance with the PCI DSS. Staff in breach of the terms of this policy may be subject to disciplinary action. Compliance The University will conduct information security compliance and assurance activities to ensure its security objectives and the requirements of the PCI DSS are met. Failure to comply with this policy and cardholder data handling rules will be treated extremely seriously by the University and may result withdrawal of the merchant ID and ability to process cards as well as in enforcement action on a department or individual. Review and Development This policy, and supporting documentation, will be reviewed and updated by the Finance Division on an annual basis to ensure that they: - Remain operationally fit for purpose; - Reflect changes in technologies; - Are aligned to industry best practice; and - Support continued regulatory, contractual and legal compliance. 26 June 2017 Version 1.0 Page 5 of 6

6 Appendix I PCI SECURITY STANDARDS COUNCIL (PCI SSC) The PCI Security Standards Council was founded by American Express, MasterCard Worldwide, and Visa Inc (amongst others). Participating organisations include merchants, payment card issuing banks, processors, developers and other vendors. It is a global open body formed to develop, enhance, disseminate, and assist with the understanding of security standards for payment account security. The Council maintains, evolves, and promotes the PCI security standards. See PCI Security Standards Council web site for more detail PCI DATA SECURITY STANDARD (PCI DSS) PCI Security Standards are technical and operational requirements set by the PCI SSC to protect cardholder data. The standards apply to all organisations that store, process or transmit cardholder data. The Council is responsible for managing the security standards, while compliance with the PCI DSS is enforced by the founding members of the Council. All Merchants who accept or process payment cards must comply with the PCI DSS. Substantial penalties can be imposed for non-compliance with the PCI DSS regulations, with further penalties for any actual data compromise. As a final resort, the Merchant can be refused permission to process card data. OVERVIEW OF PCI DSS REQUIREMENTS The 12 requirements of PCI DSS in summary are: Requirements 1-2 Build and maintain a secure network Requirements 3-4 Protect cardholder data Requirements 5-6 Maintain a vulnerability management programme Requirements 7-9 Implement robust control measures / Control access to card data Requirements Regularly monitor and test your computer networks Requirement 12 Make information security a priority 26 June 2017 Version 1.0 Page 6 of 6