This policy provides requirements and guidance for all credit card processing activities for the Georgia Institute of Technology.
At this inital publication of this policy the following sources were consulted and provided the basis for this program: ISO 17799, Visa CISP, MasterCard SDP.
REVIEW Comment: This policy will be considered effective July 31 st , 2003 based on the provisional approval of the Associate Vice President of Financial Services and the Associate Vice President of the Office of Information Technology. Final approval of this policy will be by the President of the Georgia Institute of Technology based on a review by the Information Security Policy Committee.
The approval process for all credit card processing activities:
The Associate Vice President of Financial Services or delegate must approve all credit card processing activities at the Georgia Institute of Technology prior to entering into any contracts or purchasing equipment. This requirement applies regardless of the transaction method used (e.g. online processing at Georgia Tech, outsourced to a third party, or swipe terminals).
All technology implementation associated with the credit card processing must be in accordance with the Credit Card Processing Procedures and approved by the Associate Vice President of Information Technology prior to entering into any contracts or purchasing equipment .
All credit card numbers must be handled in accordance with the Data Access Policy requirements for category 4 data. Please contact OIT Information Security for assistance with interpretation and implementation. However, instances of P-card numbers or corporate cards where 4 or fewer numbers are functionally present may be handled as category 3 data. Any conflicts between the requirements of the Data Access Policy and the Credit Card Processing Procedures will be resolved in favor of the Credit Card Processing Procedures .
Units approved for credit card processing activities must maintain the following standards:
Provide appropriate training to all employees handling systems with credit card numbers including both personnel within the unit handling the credit card transactions and appropriate personnel in the Office of Information Technology
Create, maintain and test annually business continuity/disaster recovery plans and system compromise response plans.
All outsourcing agreements must meet the standards set forth in the Credit Card Processing Procedures.
All servers storing or processing credit card numbers will be housed with the Office of Information Technology. All servers and POS Terminals will be administered in accordance with the requirements of the Credit Card Processing Procedures.
Credit card numbers will be retained for a maximum of 90 days. The only exception is transactions for future events, which may be retained up to 180 days from the transaction date. All media used for credit card numbers must be destroyed when retired from this use. All hardcopy must be shredded by at least a cross-cut shredder prior to disposal.
Access to credit card numbers must be restricted to the minimum number of people possible. No employee may have access to credit card numbers until he or she has attended the Credit Card Processing Policy Training and has tendered written acknowledgement of receipt of a copy of this policy, the Credit Card Processing Procedures and other appropriate policies (e.g., CNUP, Data Access Policy, Service Certification Process and Procedure, and unit level security policy). After completion of these requirements, the unit head may issue, in writing, authorization for the employee's access. No employee will have access to credit card numbers without such written authorization.
Each unit responsible for credit card processing must complete audits quarterly on all systems storing or processing credit card numbers to ensure compliance with this policy and the associated procedures. The Office of Information Technology will participate in these audits. Annual audits must be performed by Office of Information Technology Information Security to confirm the results of the quarterly audits.
All computers handling, processing, or storing credit card numbers must be registered in accordance with the revised Computer and Network Usage Policy.
All academic units, administrative units, organizations, and employees of the Georgia Institute of Technology or that use systems or networks supported Georgia Institute of Technology must abide by this policy.
This policy specifically addresses all credit card processing by the Georgia Institute of Technology. All POS terminals handling credit card numbers (in full or truncated) and all servers receiving, storing, or transmitting credit card numbers (in full or truncated) are subject to this policy. An exemption is provided for P-card numbers provided the credit card number are functionally truncated to four digits or less.
The computer hosting the application that the general end-user or the point-of-sale (POS) terminal connects
Category III Data Sensitive
This information is considered private and should be guarded from disclosure.However, public disclosure of this information due to a system compromise generally does not result in financial fraud or violation of State and/or Federal law. Examples include intellectual property information, private directory listings, and contract negotiations.
Category IV Data Highly Sensitive
Any disclosure of this information, intentional or otherwise, may contribute to financial fraud and/or violate State and/or Federal law. Examples include Social Security numbers, credit card numbers, financial institution account numbers, and employee and student health records.
Cardholder Information Security Program (CISP)
The formal data protection program mandated by Visa
Card Verification Value 2 (CVV2)
An additional verification code used in transaction processing
Credit Card Number
Any part or all of the unique number identifying the account for a financial transaction
The computer storing the sales and/or credit card numbers>/p>
Any internet-enabled financial transaction application, whether a buying application or selling application
Any employee (as defined by the Employee Handbook ) faculty, student employee, or contractor employed by a third party and providing services to the Georgia Institute of Technology
Scrambling data in a recoverable format
A network device or host-based software implementation designed to restrict network access to a computer
Scrambling data in an unrecoverable but verifiable format
Intrusion Detection System (IDs)
A network monitoring device for recognition of attempts to compromise monitored systems
The International Standards Organization document defining computer security standards. The credit card vendors may have based their policies on this standard.
Point-of-Sale (POS) computer terminals either running as standalone systems or connecting to a server either at the Georgia Institute of Technology or remotely off site
Purchase Cards (P-Cards)
Credit cards obtained by Georgia Tech through a customer agreement with a bank for procurement purposes.
Site Data Protection Program (SDP)
The formal data protection program mandated by MasterCard
POS credit card terminals
Authentication requiring two different methods confirming identity typically based on something the user has (e.g. a card, a key, a fingerprint) and something the user knows (e.g. a password)
The design, development, implementation and management of the ÔøΩfront-endÔøΩ of the eCommerce application
These procedures are required in direct support of the Georgia Institute of Technology Credit Card Processing Policy and were included in the original approval of the policy. This document sets forth the technical details and procedural requirements for implementing credit card processing at the Georgia Institute of Technology or outsourcing that processing to a third party. The procedures' scope, revisions, exceptions, and compliance are noted in the Credit Card Processing Policy.
The procedures are separated into the following general areas of interest:
Computer system security requirements
All computers handling credit card numbers must have the following in place:
- A host-based firewall technology preventing connections from all ports except a specific subset (e.g. 443 for secure web transactions, IP restricted port 22 for system administration). All firewall rules must be documented and modifications approved in keeping with the Service Certification Process.<.li>
- All Microsoft Windows computers must run anti-virus software.
- File integrity monitoring to an external system for critical system and application files for inappropriate/unauthorized modifications. Reviews for potential changes must occur daily.
- System logging or auditing to an external server for all critical operating system modifications (e.g. all logins, unauthorized file access attempts) and maintain the log for at least 6 months
- A single function (e.g. application or database) is implemented per server.
- Security patches must be tested and, if possible, applied within one week of vendor release. All patches must be applied or documentation explaining the implementation problem within 30 days. A change log must be maintained for all servers.
- Passwords must be at least 8 characters long and require complex passwords (inclusion of a number or special character), expire after 90 days or less, not reuse the last 4 passwords, and stored in an encrypted or hashed format.
- All accounts must be disabled after 30 days of inactivity and, if not re-enabled and actively used, removed after an additional 60 days. The only exception is emergency accounts used for system recovery and not used regularly.
- All system patches must be applied to a new computer before connecting to the network. All default account names and default passwords must be changed before connecting to the network. All computer security configurations and services/daemons must be reviewed before connecting to the network
- Perform vulnerability testing on associated computers every 30 days with penetration testing at least annually.
- Only allow computer access by uniquely assigned and auditable IDs
Connectivity security requirements
All computers handling credit card numbers must have the following provisions in place for network and modem connectivity:
- A network-based firewall preventing inappropriate/unauthorized access from outside the academic/business unit or specific authorized computers.
- An intrusion detection system monitoring for unauthorized access attempts.
- 24/7 monitoring for network-based firewall and IDs systems for potential penetrations and 24/7 on-call expertise for potential security incidents.
- Two-factor authentication for routers servicing all computers connecting to, handling, processing, or storing credit card numbers.
- Specific authorization for modem connections. All modem connection must be outbound only.
- All data transfers and administrative access must be in an encrypted format (e.g. SSL, SSh, IPSEC).
Credit card number storage requirements
Credit card numbers must be protected by encryption, hashing, or truncation. No complete credit card numbers will be stored on computers owned by the Georgia Institute of Technology in an unprotected manner. Standard encryption algorithms must use at least 128bit key. Minimum key lengths will be increased as computing processing power improves. Minimum key lengths for new encryption technologies must be provided with these guidelines prior to implementation. Keys must be in a single accessible location with back-ups. Keys must be changed every 90 days and old keys must be deleted/destroyed after an additional 30 days.
The following additional requirements apply to computers storing credit card numbers and network connectivity beyond those noted in "Computer System Requirements" and "Connectivity Security Requirements":
- Accounts must lock-out after six or fewer invalid login attempts and require manual re-enabling.
- Sessions must time-out after 15 minutes.
- All accesses to credit card numbers must be logged.
- All root access activities must be logged to an external server.
- The system must not be openly accessible from any public network.
- The computer's IP address must not be available outside the local subnet.
- A dedicated firewall must be in place specifically for computers storing credit card numbers to preventing any public access to protected systems. Access is only permitted by exception by both IP and port.
- Credit card numbers must not be stored in multiple locations with the exception of backups.
- CVV2 information must not be stored beyond the transaction authorization point.
- Two-factor authentication is recommended.
Physical security requirements
All servers storing credit card numbers must have the following provisions in place:
- The servers must be in the Network Operations Center (NOC) for the Office of Information Technology. Servers placed in a separate locked room within the NOC or within locked racks. Video surveillance must be maintained on the servers. All access to servers by anyone except employees specifically approved for access to the credit card numbers must be escorted continuously.
- The NOC must log all room access (maintained for at least 90 days), maintain video surveillance of room ingress and egress, and provide identification for easily distinguishing employees, visitors, and inappropriate access. Visitors must be issued a NOC ID that must be returned or issued a temporary ID and continuously escorted.
- All backup media must be secured on site, off site, and in transit. All transportation must be handled by approved Institute employees or bonded couriers.
Any unit may select to outsource their credit card transaction processing. This option transfers the risk to the outsourced service. Approval for credit card transaction processing must follow the standard approval process. Contracts must address these elements:
- Compliance with all appropriate credit card company security requirements.
- Service level agreements.
- Defining data retention and destruction requirements.?/li>
Review process of credit card transaction processing request
- Document the business need for accepting credit card transactions in a new unit or location.
- Meet with Financial Services for justification and approval of business case.
- Meet with Information Security to evaluate options and costs for implementation (using existing facilities, implementing separate facilities, or outsourcing transaction processing).
- Meet with the Associate Vice President of Information Technology or Executive Director for the Office of Information Technology for technical approval of implementation.
- Meet with Georgia Institute of Technology Legal Affairs to ensure all contracts meet federal, state, and contractual requirements.
Upon approval, this policy shall be published on the Georgia Tech Office of Information Technology website under policies, and will be the Business Office web site. The following offices and individuals shall be notified via email and/or in writing upon approval of the policy and upon any subsequent revisions or amendments made to the original document:
- Associate Vice Provosts
- Associate Vice Presidents
- Internal Auditing
Revisions and Exceptions
This policy may be revised only by signature by the President of the Georgia Institute of Technology.
The Associate Vice President of Financial Services and the Associate Vice President of Information Technology may grant exceptions to this policy or revise the Credit Card Processing Procedures document by mutual agreement. Either the Associate Vice President of Financial Services or the Associate Vice President of Information Technology may grant exceptions to the Credit Card Processing Procedures.
Failure to comply with this policy and the associated required procedures by employees will be deemed a violation of Institute policy and subject to personnel action up to and including termination as noted in the Employee Handbook and/or the Faculty Handbook. Technology that does not comply with this policy and the associated required procedures is subject to disconnection of network services or confiscation of equipment pending review and approval of processes, procedures, and/or equipment.