ECU Payment Card Merchants

PCI Security Awareness for ECU Payment Card Merchants

Read this document carefully. Sign, date, and return the last page to your departmental PCI coordinator, who is required to store the documentation for 1 year. Retain the rest of the document for your reference.

This document applies to all business units, personnel, contractors, and computers involved in storing, processing, transmitting, or receiving Payment Card Cardholder Data at East Carolina University. Definitions for terms used in this document: 1. PCIDSS = Payment Card Industry Data Security Standard (currently version 2.0). Details of PCIDSS are available from the PCI Data Security Standards Council website at: https://www.pcisecuritystandards.org . 2. Payment Card = credit card or debit card. 3. PAN = Primary Account Number (full credit card or debit card numbers). 4. Cardholder Data = personally identifiable data associated with a PAN, expiration date, name, address, or Social Security number. 5. OSC = North Carolina Office of the State Controller. ECU business units and their employees with access to Cardholder Data must adhere to all requirements for compliance with PCIDSS. Questions about PCI compliance at ECU should be directed to the eCommerce Manager in Financial Services.

You are responsible for the security of the Cardholder Data that you store, access, process, transmit, or receive. Do not process or store Cardholder Data unless your business unit has been certified PCI compliant by ECU Financial Services.

PCI compliance requirements are determined by the PCI Data Security Standards Council, acting on behalf of the major payment card companies (e.g., Visa, MasterCard). PCI compliance is mandatory and must be certified by ECU Financial Services annually or any time your card processing environment changes. Payment Card companies (e.g., Visa, MasterCard) can punish violators by revoking card processing privileges for the entire University, fining the University (starting at $500,000 per violation), and requiring permanent onsite compliance auditing by a certified external security assessor at your expense.

PCI Security Awareness—Revised 7/6/12 Page 1 of 8 Rules for All ECU Employees and Affiliates

1. All potential ECU Payment Card merchants must be approved by ECU Financial Services and certified PCI compliant before purchasing any card-processing materials, signing any card- processing contracts, or receiving any Cardholder Data. 2. Electronic storage of third-party PANs at ECU is prohibited at any time for any reason. Any storage of Cardholder Data after business needs expire is prohibited. 3. Payment processing functions must be outsourced to an off-campus PCI-compliant vendor approved by ECU Financial Services and OSC. 4. Accessing, transmitting, or receiving Cardholder Data via the ECU campus wireless network is prohibited.

How to Care for Cardholder Data

PCI compliance requirements depend upon your method of storing, accessing, processing, receiving, and transmitting of Cardholder Data. If you use telephone lines to process payments and/or store Cardholder Data on paper, you must comply with Section 1 of the following requirements. If you use computers to perform any of these functions electronically, you must comply with Section 2 of the following requirements.

Section 1. PCI Compliance for Payment Card Processing Without Computers If you use Payment Card readers that transmit and receive Cardholder Data via telephone lines and/or store Cardholder Data on paper: 1. Do not store or process any Cardholder Data until you have been certified PCI compliant by ECU Financial Services. Your certification must be renewed annually. 2. Your business practices and information security practices must be audited annually by ECU Financial Services. Results of the audit must be submitted to OSC for annual PCI certification renewal. 3. Access to Cardholder Data must be granted on a need-to-know basis. 4. During business hours, restrict Cardholder Data to a controlled-access area. 5. After business hours, keep Cardholder Data in a locked container (e.g., file cabinet, vault). Only people who have a need to access Cardholder Data should have keys, combinations, or passwords that give them access to the Cardholder Data. 6. Dispose of Cardholder Data in a secure manner as soon as your business need for it expires. Use a cross-cut shredder or a certified shredding service. Never throw Cardholder Data in the trash. 7. If you use keys to restrict access to Cardholder Data, you must maintain a current access list of all personnel possessing those keys. If someone’s need to access Cardholder Data expires, their key must be returned immediately and the key list must be updated immediately. If a key is lost, the locked must be changed immediately and new keys must be issued immediately. 8. If you use a combination lock to restrict access to Cardholder Data, you must maintain a current access list of all personnel possessing the combination. If someone’s need to access Cardholder Data expires, the combination must be changed immediately and the access list must be updated immediately. 9. Never store the CVV code (the 3- or 4-digit number printed on the signature line of a Payment Card) for any reason. 10.Avoid sending or receiving Cardholder Data via email. If you must send Cardholder Data via email, you must use encryption (minimum of 128-bit cipher strength; 256-bit AES encryption is strongly recommended). Check with ITCS for available encryption solutions. 11. Check with University Financial Services if you have questions about storage or processing of Cardholder Data.

PCI Security Awareness—Revised 7/6/12 Page 2 of 8 12.Any change in your processing or storage of Cardholder Data must be certified PCI compliant by ECU Financial Services before you implement the change.

Section 2. PCI Compliance for Payment Card Processing With Computers If you use computers to access, process, transmit, or receive Cardholder Data electronically: 1. You must comply with all requirements in Section 1, if you also store Cardholder Data on paper. 2. Do not process any Cardholder Data until you have been certified PCI compliant by ECU Financial Services. Your certification must be renewed annually. 3. Electronic storage of third-party PANs at ECU is prohibited at any time for any reason. a. Electronic storage includes, but is not limited to: workstations (desktops or laptops), Piratedrive, PDAs, tablets, smartphones, external hard drives, flash drives, scanned images, or any other computing or storage devices, even if the data is encrypted. b. If your card-processing environment loses its connection to card-processing services, local caching of PANs until connection is restored is prohibited. c. You may store the last 4 digits of the PAN electronically, but not the full number. 4. Any storage of the CVV code (the 3- or 4-digit number printed on the signature line of a Payment Card) is prohibited. 5. Your business practices, information security practices, and computing environment (workstations, servers, network, storage, disposal) will be audited for PCI compliance annually by ECU Financial Services. Your computers and network will be scanned monthly for vulnerabilities by Trustwave, a certified scanning vendor employed by and reporting to OSC. Results of the audits must be submitted to OSC for annual PCI certification renewal. 6. Any vendor supporting your card processing infrastructure (hosting service, gateway, application software, card reader hardware) must be certified PCI compliant and provide you with written proof annually. Your business unit is responsible for keeping this proof on file at all times. If your vendor loses their PCI certification, your PCI certification is voided immediately. 7. All computers used to store, access, process, receive, or transmit Cardholder Data must be connected to a special PCI-compliant section of the ECU campus computer network, which is isolated from the rest of the campus computer network and does not include wireless components. This special PCI-compliant section of the campus network contains only hard- wired data connections. 8. The ECU campus wireless network is not PCI compliant. Never use the ECU wireless network to access, process, transmit, or receive Cardholder Data. Never connect an ECU computer used for processing Cardholder Data to any wireless network. 9. Dispose of Cardholder Data securely as soon as your business need for it expires. 10.Access to Cardholder Data must be granted on a need-to-know basis. If you use passwords to restrict access to Cardholder Data, you must maintain a current access list of all personnel having access to Cardholder Data. You must require the use of strong passwords for access to Cardholder Data (see the “Passwords” section of this document for details about creating strong passwords). These passwords must adhere to the same requirements as ECU PirateID passwords. If someone’s need to access Cardholder Data expires, their access to the Cardholder Data must be deleted immediately and the access list must be updated immediately. 11. Avoid sending or receiving Payment Card information via email. If you must send Payment Card information via email, you must use encryption (minimum of 128-bit; 256-bit AES encryption is strongly recommended). Check with ITCS for available and approved encryption solutions. 12.Check with ECU Financial Services if you have questions about personal or departmental storage or processing of Cardholder Data. 13.Any change in your processing or storage of Cardholder Data must be certified PCI compliant by ECU Financial Services before you implement the change. Changing your processing without prior certification voids your PCI compliance. Potential changes include, but are not limited to, the following: a. payment gateway PCI Security Awareness—Revised 7/6/12 Page 3 of 8 b. third-party vendor for hardware, software, or hosting services c. Payment Card processing software versions (on server or workstation) d. location and physical access to servers or workstations e. installation of new workstations or computing devices of any kind f. network jack used to connect server or workstation to PCI-compliant section of ECU network.

PCI Security Awareness—Revised 7/6/12 Page 4 of 8 Passwords

You are responsible for the security of your user account (userid). Your computer access is tracked by your user userid, which is protected by a password. Never allow anyone else access to your userid. If someone else gains access to your userid by guessing/stealing your password or if you permit someone else to login as you, authorities must assume that all actions associated with your userid were performed by you. Protect yourself by using passwords wisely. Passwords must adhere to the same requirements as ECU PirateID passwords as follows. 1. Use passwords whenever possible. a. Never use a blank password. b. Change all default passwords immediately. 2. Create strong passwords (passphrases) by following these guidelines: a. Make your password at least 8 digits in length. b. Don’t use repeating digits. c. Use a combination of numbers and letters. d. Mix upper- and lower-case letters. e. Use special characters (!, @, #, &, %, etc.) within in the password, not just at the beginning or end. f. Never use dictionary words (including foreign or archaic languages), your account name, proper names, zip codes, or room numbers in your password. 3. Keep your passwords secret. a. Don’t write your password and hide it under the telephone, under the keyboard, or in a desk drawer. b. Don’t reveal your password to anyone, including your superiors. If anyone pressures you to reveal your password, they are in violation of University policy, which forbids the sharing of userids or passwords. Notify ECU Human Resources of the violation immediately—your anonymity will be protected. c. When using a computer or accessing a website, don’t use any option that offers to “save my password for the next time” or “automate my login.” This option will store your password, which is just as bad as writing it down. Stored passwords can be stolen and used against you. 4. Change all your passwords at least every 90 days. a. Don’t re-use old passwords. b. Don’t use the same password for multiple systems.

Secure Computing Practices Any workstation that contains or processes Payment Card information must be treated as a high- security computer. Users will be responsible for the security of their high-security computers, which will be subject to automated network security scans. To ensure the proper security and operation of your high-security computer: 1. Use antivirus software; never disable it. Update antivirus definitions daily; your campus computer should do this automatically if it was configured by ITCS. Scan all your files weekly to protect against malware (malicious software) that can steal your passwords, destroy your data, or take control of your computer. ITCS provides and installs Symantec Endpoint Protection (SEP) for campus PCs at no charge. 2. If your computer begins acting strangely, slows down significantly, or takes a very long time to start, it may be infected with malware (malicious software used by hackers). Call the ECU Help Desk at 328-9866 and open a service ticket to have your computer checked by a qualified technician. Tell the Help Desk representative that your computer processes Payment Card information and should be assigned an emergency status for investigation. 3. A firewall must be used on any computer that connects to a network or the Internet. Windows XP contains a built-in firewall. If your Windows XP computer has Service Pack 2 installed, the

PCI Security Awareness—Revised 7/6/12 Page 5 of 8 firewall is enabled by default. Windows 7 firewall is enabled by default. If ITCS installed your computer, this has already been done for you. 4. Whenever you leave your computer, lock it. Press the CTRL, ALT, and DEL keys simultaneously, then release them and choose “Lock Computer.” All current processes and active programs will continue to run, but unauthorized individuals can’t use your computer. When you return to your computer, login again and resume working. 5. Use a password-protected screen saver and configure it to blank your screen after 10 minutes of inactivity. Use only screen savers included in your Windows operating system. Never use an aftermarket screen saver on your work computer. 6. Turn off your computer if it will be idle for more than a few hours, especially if it will be idle overnight. A computer can’t get hacked or infected with malware while it’s turned off. 7. If a computer you use has been hacked, change ALL your passwords on ALL systems you access. Use a different computer known to be secure to change all your passwords immediately. 8. Report all PCI security incidents to the ECU Help Desk and ECU eCommerce Manager in Financial Services immediately.

Computer Software—Update Regularly and Use Prudently

Improper installation or use of computer software can nullify all measures taken to secure your computer and its computing environment. University-owned computers connected to the ECU campus network have their Microsoft operating systems, Microsoft Office applications, and Symantec Endpoint Protection automatically updated by ITCS. If you install software on your computer that is not originally installed by ITCS, you are personally responsible for updating and securing it.

Do not install any software that is not required to perform your job functions. If you’ve already installed it, uninstall it. If you don’t know how to uninstall it, call the Help Desk and open a Service Request to have a qualified technician service the computer. Examples of software to avoid: 1. Peer-to-peer (P2P) file sharing software. (e.g., Kazaa, gnutella, BearShare, Grokster, Morpheus, Napster, LimeWire, etc.). Many computer worms are optimized to spread via P2P software. 2. Instant messaging (AOL Instant Messenger, Yahoo, etc.) and chat software. 3. Games 4. Add-on toolbars for Internet browsers 5. Desktop search tools 6. Aftermarket screen savers (especially those that automatically download pictures from the Internet) 7. Alternate (non-Microsoft) email (e.g., gmail, hotmail) 8. Non-Microsoft add-ons to Outlook (e.g., “cute” icons) 9. Weather-monitoring software 10.News-monitoring software 11. Stock market-monitoring software 12.Non-Microsoft media players (e.g., iTunes, Quicktime, RealPlayer) 13.Web server software (e.g., Internet Information Server, Tomcat) 14.Shopping or coupon software (e.g., Claria, formerly named Gator) 15.Password-caching software (stores your userids/passwords at remote location) 16.Online gambling software 17.Communications software (e.g., Skype) 18.Remote control and remote access software 19. 20.Use email prudently. Never open any email attachment, regardless of its source. Save the file to your computer’s hard drive and scan it for viruses. 21.

PCI Security Awareness—Revised 7/6/12 Page 6 of 8 22.

PCI Security Awareness—Revised 7/6/12 Page 7 of 8 23.PCI Security Awareness Certification 24. 25. 26.I have read the document titled “PCI Security Awareness for ECU Payment Card Merchants.” I understand the document’s contents and will comply with them. 27. 28. 29. 30. 31. 32.______33. Name (print) Date 34. 35. 36. 37. 38. 39.______40. Signature

PCI Security Awareness—Revised 7/6/12 Page 8 of 8