Credit Card PCI DSS Compliance Processes
We have, stored on our file server, a network diagram for the entire SSPL network for the purposes of an audit. This will outline all connections for staff equipment and will show the logical paths for the credit card processing equipment and annually review and updated as required by PCI DSS and our security policy.
On the network diagram we will illustrate firewall connections. The firewall that protects our staff network and in turn the credit card processing equipment is maintained by our consortium group SALS, as are the firewall and internet access of Clifton Park and Crandall Libraries. The Joint Automation (JA) group within SALS has configured the firewall to comply with the requirements for PCI DSS, the credit card processing equipment is segregated logically from other traffic on the network and is allowed only to travel to and from the assigned destination which is the gateway internet address for Comprise Technology Inc. JA and Comprise Technology Inc. will attest to the fact that all of the systems that we are using to process patrons credit cards are compliant with the standards set forth by the credit card industry.
Vendor-Supplied Defaults for System Passwords and Other Security Parameters
Our network equipment all resides in the building, they are all physically secured and have all administrative password changed from the default settings. All administrative access to those devices is over encrypted channels as is the data passed from the credit card processing equipment to the secure gateway using industry standard SSL encryption. Currently the library doesn’t have any staff wireless or do we allow wireless to be used for any patron transactions, any changes to that in the future would be in conjunction with JA and filtered through the security requirements for PCI DSS. An annual review of these passwords and encryption level will be performed to ensure SSPL and JA are meeting the levels required by the PCI DSS.
Stored Cardholder Data
Our chosen scenario in regard to securing patron credit card numbers is to not retain any credit card information. The particular software and hardware configuration was specifically chosen so that we have no opportunities to retain any sensitive information. Our Polaris client creates request to Comprises gateway asking for the gateway to request a credit card transaction between the pin-pad and the patron. From then on the interaction is encrypted and off our staff network virtually passing the encrypted sensitive information, until the Comprise gateway reports to Polaris that the patron credit card was successfully transacted.
Our current method and hardware configuration doesn’t show or retain the patrons PAN (primary account number) or card verification number (number on the back). That information is transacted between the pin-pad and Comprise gateway. We do however print receipts for the patron for the payment received, this receipt has a partial PAN (last four digits) printed. This is acceptable practice under PCI DSS standards. We have no software or staff role that would require seeing or saving a patrons PAN other than printing a receipt for their records.
Encrypted Transmission of Cardholder Data Across Open, Public Networks
Transmission of Cardholder Data
The public network transmission of data takes place between the pin-pad and Comprise gateway. All protocols and transmissions are managed by Comprise. They have affirmed that they are using industry standard security for masking transmission of sensitive data. SSPL currently has a policy of not sending patron data for other than library business. At no time would staff have the necessity for sending PANs on unsecure technologies and staff will have zero opportunity of interacting with a cardholders PAN per our training material.
Secure Systems and Applications
Risk and Vulnerability
We address our risk of access buy unauthorized entities by working with our credit card processor First Data. They take the steps for us to have a certified industry security group Trustwave™ perform routine penetration testing on our equipment; the minimum for compliance is quarterly we are scanned monthly for any faults that need to be addressed. We are currently at a medium risk level because we do have access to the internet for the processing equipment but we do not house any information used to process nor any credit card information.
Restricted Access to Cardholder
Limit Access to Cardholder Data
We have no access limit level for cardholder data because we do not keep, store, copy, or view any of the cardholder information that is used by our system. We intend to mitigate our risk by employing this policy as well as proper annual training of staff that we have a policy of disengagement so that our compliance will not be in question.
Unique IDs for Each Person with Computer Access
This section is not applicable as there are no accounts or access to any or our credit card processing equipment, they are simple processing machines. Any work or maintenance to be done on the machine would not be performed remotely it would be returned to Comprise for maintenance at their facility.
Restricted Physical Access to Cardholder Data
Physically Secure All Areas and Media Containing Cardholder Data
SSPL has a logical control (DHCP) part of its network security, additionally physical security measures ensure access to any connections to the network is limited to authorized equipment or persons. There are training points for staff how to handle receipts, although they are only printed with a partial PAN in compliance with PIC requirements, the receipt will be handed to the patron as receipt of payment.
Destruction of Data
We have no records of cardholder data and therefore this section is not applicable at this time with our current equipment/software configuration.
Protection of Payment Devices
The pin-pad equipment will be secured to a stand in turn secured to a desk. The physical image and serial numbers are recorded and stored of SSPL pin-pad devices for use in spotting any tampering. Training for staff encouraging them to visually inspect the pin-pads for any signs of tampering will be reinforced with annual training as well as alerting them to the possible scenarios a suspicious person may attempt to employ to access cardholder data. The IT group will be responsible for physical inspection on a regular basis, checking cables, marks that would indicate tampering, serial numbers, or damage that could affect the operation of the device.
Regular Tests of Security Systems and Processes
Quarterly scan testing for weak points as the penetration tests do and fill out a quarterly survey to help spot and address vulnerabilities. The ASV survey and attestation help keep security items up to date as well as helps keeps us aware of our responsibilities.
Information Security for Employees and Contractors
The Saratoga Springs Public Library has/will have a public policy posted on our website along with other current policies that we will reviewed annually and updated as needed. We don’t feel that the use of any of the libraries other technologies will interfere with our credit card acceptance policy but we have in place several guidelines for use of our technologies for patrons as well as staff that encourage opportunity and safety while on the internet.
The use of technology on SSPL staff networks is restricted by design and all common connected devices; desktops, laptops, wireless devices all have no or limited access to the networks by default and must physically be added to the network for access.
SSPL staff have a duty to maintain the grounds and infrastructure of the institution including the credit card payment system. The individual staff person will have no more responsibility than they would stopping vandalism to the property. Unlike SSPL property they will however be annually updated and reminded of what is needed to uphold that duty in regard to the credit card system.
Incident Response Policy (As it pertains to Credit Card issues)
The incident response unlike the Security Responsibilities, Incident Response will be handled by a member of the administration. The response will generally be headed by the Computer Services Manager with support from the Library Director and Board of Directors.
The identification of any incident; theft, damage, unauthorized access will be investigated by Computer Systems Manager effort supported by all staff that may have witness the incident.
Reporting an Incident
Any incident involving any patron CC information or CC device should be reported to the Library Administration and specifically Computer Services Manager. No one should communicate with anyone outside of their supervisor or the IT Group about any details or generalities surrounding any suspected or actual incident. Document any information you recall while waiting for the IT Group to respond to the incident. If known, this must include date, time, and the nature of the incident. Any information you can provide will aid in responding in an appropriate manner.
Incident Response Policy
Contain, Eradicate, Recover and perform Root Cause Analysis
- Notify applicable card associations. (To be performed by Administration Staff)
- Provide the compromised Visa accounts to Visa Fraud Control Group within ten (10) business days. For assistance, contact 1-(650)-432-2978. Account numbers must be securely sent to Visa as instructed by the Visa Fraud Control Group. It is critical that all potentially compromised accounts are provided. Visa will distribute the compromised Visa account numbers to issuers and ensure the confidentiality of entity and non-public information. See Visa’s “What to do if compromised” documentation for additional activities that must be performed. That documentation can be found at usa.visa.com.
- Contact your merchant bank for specific details on what to do following a compromise. Your merchant bank will assist when you call MasterCard at 1-(636)-722-4100.
- Discover Card
- Contact your relationship manager or call the support line at 1-(800)-347-3083 for further guidance.
- Alert all necessary parties. Be sure to notify:
- Merchant bank
- Local FBI Office
- U.S. Secret Service (if Visa payment data is compromised)
- Local authorities (if appropriate)
- Perform an analysis of legal requirements for reporting compromises in every state where clients were affected. The following source of information must be used: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
- Collect and protect information associated with the intrusion. In the event that forensic investigation is required the IT Group will work with legal and management to identify appropriate forensic specialists.
- Eliminate the intruder's means of access and any related vulnerabilities.
- Research potential risks related to or damage caused by intrusion method used.
Root Cause Analysis and Lessons Learned
Not more than one week following the incident, members of the SSPL Administration and all affected parties will meet to review the results of any investigation to determine the root cause of the compromise and evaluate the effectiveness of the Incident Response Plan. Review other security controls to determine their appropriateness for the current risks. Any identified areas in which the plan, policy or security control can be made more effective or efficient, must be updated accordingly.
Saratoga Springs Public Library shall establish and maintain a formal security awareness program to make all personnel aware of the importance of cardholder data security integrated into the annual training.
Saratoga Springs Public Library shall implement and maintain policies and procedures to manage service providers. This process includes the following:
- Maintain a list of service providers
- Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of the cardholder data the service providers possess Implement a process to perform proper due diligence prior to engaging a service provider
- Monitor service providers’ PCI DSS compliance status. Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity