Professional Documents
Culture Documents
Loyola University Maryland Information Security Policy For PCI SAQ C Merchants
Loyola University Maryland Information Security Policy For PCI SAQ C Merchants
Loyola University Maryland Information Security Policy For PCI SAQ C Merchants
MARYLAND
Introduction ............................................................................................................................................................ 1
Additional Process and Standards Documents Referenced by this Security Policy ................... 2
Introduction
To safeguard Loyola University Maryland‘s (“Loyola” or the “the University”) information technology resources and to protect
the confidentiality of data, adequate security measures must be taken. This Information Security Policy reflects Loyola’s
commitment to comply with required standards governing the security of sensitive and confidential information.
Purpose / Scope
This security policy is written to specifically address the security of data used by the Payment Card Industry. The policy
provides guidelines to protect Loyola‘s systems and data against misuse or loss.
The primary purpose of this security policy is to establish rules to ensure the protection of credit card information and to
ensure protection of Loyola University Maryland’s information technology resources. Credit card data stored, processed or
transmitted with Loyola’s Merchant ID must be protected and security controls must conform to the Payment Card Industry
Data Security Standard (PCI DSS).
Cardholder data within this document is defined as the Primary Account Number (PAN), Card Validation Code (CVC, CVV2, and
CVC2), Credit Card PIN, and any form of magnetic stripe data from the card (Track 1, Track 2).
This security policy applies to all users of computer systems, centrally managed computer systems, or computers authorized
to connect to Loyola’s data network. Individuals working for institutions affiliated with Loyola University Maryland are subject
to these same definitions and rules when using Loyola’s information technology resources.
This security policy applies to all aspects of information technology resource security including, but not limited to, accidental
or unauthorized destruction, disclosure or modification of hardware, software, networks or data.
Questions or comments about this policy should be directed to the custodian listed above.
Loyola University Maryland
Information Security Policy for SAQ C Merchants Page |2
Firewall and Router Configuration Standards Director of Security Advisory and Compliance
System Hardening and Configuration Standards Director of Security Advisory and Compliance
Payment Terminal Device Review Log Director of Security Advisory and Compliance
Vulnerability Discovery and Risk Ranking Director of Security Advisory and Compliance
SAQ C Service Provider Compliance Validation Process Director of Security Advisory and Compliance
Firewalls are devices that manage network traffic between the University’s networks (internal) and untrusted networks
(external). A firewall examines all network traffic and blocks those transmissions that do not meet specified security criteria.
All credit card processing systems must be protected from unauthorized access from untrusted networks, whether entering
the system via the Internet as e-commerce, employee Internet access through desktop browsers, employee e-mail access,
dedicated connections such as business-to-business connections, via wireless networks, or via other sources. Firewalls are a
key protection mechanism for any computer network.
Loyola University Maryland will restrict connections from untrusted network segments to system components within the
cardholder data environment by completing the following:
• Maintain firewall and router configuration standards documentation1. (PCI-DSS Requirement 1.2)
• Firewall rules must limit all inbound and outbound traffic to/from the cardholder data network to only that which
is necessary for business. (PCI-DSS Requirement 1.2.1)
• When wireless networking is used, a firewall is required between any wireless network and the cardholder data
environment. Firewall rules must prohibit insecure traffic and restrict traffic from the wireless segment to only
that which is necessary for business. (PCI-DSS Requirement 1.2.3)
1.3 Prohibit Direct Public Access between the Internet and any System Component in the
Cardholder Data Environment
Loyola University Maryland will prohibit direct public access between the Internet and any system component in the
cardholder data environment by instituting the following:
• A firewall is required between the cardholder data network and the Internet. (PCI-DSS Requirement 1.3.3)
• Unauthorized outbound traffic will not be permitted from the cardholder data environment to the Internet. (PCI-
DSS Requirement 1.3.5)
• Use a firewall that implements stateful inspection, also known as dynamic packet filtering. (That is, only
“established” connections are allowed into the network.) (PCI-DSS Requirement 1.3.6)
2 Do Not Use Vendor Supplied Defaults for System Password and other Security Parameters
System components used in sensitive networks often will come with default vendor settings (usernames, passwords,
configuration settings, etc.). Loyola’s general policy is to always change vendor-supplied defaults for system passwords or
other security parameters before systems are installed in the secure network environment (cardholder data network).
• All vendor-supplied defaults must be changed on all system components before being used in the cardholder data
network. (e.g., passwords, simple network management protocol (SNMP) community strings, and elimination of
unnecessary accounts, etc.). (PCI-DSS Requirement 2.1, 2.2.d)
• If a wireless device is in use:
• All default settings for wireless environments (equipment) connected to the cardholder data environment or
transmitting cardholder data must be changed before enabling the wireless system for production use. (PCI-
DSS Requirement 2.1.1.a-e)
• The encryption keys, or passphrases, must be changed anytime anyone with knowledge of the keys leaves
the companies or moves to a position that no longer requires knowledge of the keys. (PCI DSS Requirement
2.1.1.a)
• Require that all wireless devices be configured or updated to support strong encryption technologies (i.e.,
WPA/WPA2) for both authentication to the network and transmission of data. (PCI-DSS Requirement 2.1.1.d)
• The removal of all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and
unnecessary web servers from system components in the cardholder network and document all enabled
functions for each system. (PCI-DSS Requirement 2.2.d, 2.2.5)
Cardholder data must be encrypted during transmission over networks that are accessed by malicious individuals.
Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets
of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments.
• Strong encryption algorithms and protocols (i.e., TLS, IPSEC, SSH) must be used whenever cardholder data is
transmitted or received over open, public networks. The following controls must be part of the Loyola ‘s data
transmission policies: (PCI-DSS Requirement 4.1.a)
• Only trusted keys or certificates will be accepted. (PCI-DSS Requirement 4.1.b)
• The data transmission protocol must be implemented to use only secure protocol configurations, and must
not support insecure versions or configurations (e.g., use the latest secure TLS and SSH versions only). (PCI-
DSS Requirement 4.1.c)
• The encryption strength is appropriate for the encryption methodology in use. (PCI-DSS Requirement 4.1.d)
• For TLS implementations, TLS must be enabled whenever cardholder data is transmitted or received. (PCI-DSS
Requirement 4.1.e)
• If SSL or early TLS is used on a POS POI terminal, documentation must be created detailing how it was verified
that the terminal is not susceptible to any known exploits for SSL or early versions of TLS. Documentation
must include evidence (vendor documentation, system/network configuration details, etc). (PCI-DSS
Requirement 4.1.f)
• If SSL or early TLS is used anywhere but a POS POI terminal, a risk mitigation and migration plan must be
created, which includes the following: (PCI DSS Requirement 4.1.g)
• Description of how it is used, including what data is being transmitted, the types and number of systems
that use and/or support SSL or early TLS and the type of environment.
• The risk assessment results, including the risk reduction controls that are in place.
• A process of how new vulnerabilities associated with SSL and early TLS are monitored.
• A description of change control processes that are in place to ensure no new environments are created
which utilize SSL and/or early TLS.
• An overview of the migration project plan that includes a migration completion date no later than June
30th, 2016.
• If wireless networks transmitting cardholder data or connected to the cardholder data environment are in
use, a documented standard must be created which ensures the use of strong encryption and industry best
practices. (PCI-DSS Requirement 4.1.1)
The following policies ensure system components are protected from malicious software and vulnerabilities that result from
software bugs and improperly patched applications and operating systems.
5 Protect All Systems against Malware and Regularly Update Anti-Virus Software or Programs
Malicious software, commonly referred to as “malware”—including viruses, worms, and Trojans—enters a sensitive network
segment during many business approved activities, including employees’ e-mail and use of the Internet, mobile computers,
and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems
commonly affected by malware to protect systems from current and evolving malicious software threats.
• When any vulnerability (or potential vulnerability) is found using the documented vulnerability discovery and risk
ranking process 3, it must be evaluated and assigned a ranking based on the risk level. At a minimum, the highest
risk vulnerabilities should be assigned a “High” risk ranking. (PCI-DSS Requirement 6.1)
“Need to know” is when access rights are granted to the least amount of data and privileges needed to perform a job.
7.1 Restrict Access to Cardholder Data and Systems in Cardholder Data Environment
• Access to cardholder data and system components must be restricted to only those individuals whose job
requires such access. (PCI-DSS Requirement 7.1)
• Restrict access to privileged user IDs to the least privileges necessary to perform job responsibilities and assigned
to only those roles that specifically require the privileged access. (PCI-DSS Requirement 7.1.2)
• Access assigned to individual personnel is based on their job classification and function. (PCI-DSS Requirement
7.1.3)
It is the policy of Loyola University Maryland that no full cardholder data (credit card numbers) shall be stored in any format
(electronic or hardcopy media). If sensitive cardholder data is ever discovered or received, management must be notified and
it shall be immediately destroyed, redacted, or truncated following the information in section 9.8 of this policy. (PCI-DSS
Requirement 9.8)
• Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to
granting them access to modify or troubleshoot devices.
• Do not install, replace, or return devices without verification.
• Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or
open devices).
• Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for
example, to a manager or security officer).
10 Track and Monitor All Access to Network Resources and Cardholder Data
Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a
data compromise. The presence of logs allows thorough tracking, alerting, and analysis which are critical in monitoring the PCI
environment. Detailed monitoring procedures should be developed and documented to meet the following policies.
• Logs of all servers and system components that perform security functions (for example, firewalls,
intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce
redirection servers, etc.).
• Review logs of all other system components periodically based on the organization’s policies and risk
management strategy, as determined by the organization’s annual risk assessment.4 (PCI DSS Requirement
10.6.2)
• Follow up exceptions and anomalies identified during the review process. (PCI DSS Requirement 10.6.3)
12 Maintain a Security Policy that Addresses Information Security for All Personnel
A strong security policy informs employees what is expected of them. All employees and vendors should be aware of the
sensitivity of data and their responsibilities for protecting it.
Note: “Employees” refers to full-time and part-time employees, temporary employees and personnel, and contractors
and consultants who are “resident” on the company’s site.
• Loyola University must maintain a documented incident response plan (IRP) and be prepared to respond
immediately to a system breach. (PCI-DSS Requirement 12.10)
• The IRP must clearly define roles and responsibilities for response team members. (PCI-DSS Requirement 12.10.1)
• The IRP must define communication strategies to be used in the event of a compromise including notification of
payment brands. (PCI-DSS Requirement 12.10.1)
• The IRP must define specific incident response procedures to be followed. (PCI-DSS Requirement 12.10.1)
• The IRP must document business recovery and continuity procedures. (PCI-DSS Requirement 12.10.1)
• The IRP must detail all data back-up processes. (PCI-DSS Requirement 12.10.1)
• The IRP must contain an analysis of all legal requirements for reporting compromises of sensitive data (for
example, California Bill 1386 which requires notification of affected consumers in the event of an actual or
suspected compromise of California resident’s data). (PCI-DSS Requirement 12.10.1)
• The IRP must address coverage and responses for all critical system components. (PCI-DSS Requirement 12.10.1)
• The IRP must include or reference the specific incident response procedures from the payment brands. (PCI-DSS
Requirement 12.10.1)
Loyola University Maryland
Information Security Policy for SAQ C Merchants P a g e | 16
__________________________________________
Employee’s Printed Name
__________________________________________
Employee’s Department
__________________________________________
Employee’s Telephone Number
__________________________________________
Employee’s Physical Address and Mail Location
I, the user, agree to take all reasonable precautions to assure that Loyola University Maryland internal information, or
information that has been entrusted to Loyola University Maryland by third parties such as customers, will not be disclosed to
unauthorized persons. At the end of my employment or contract with Loyola University Maryland, I agree to return to Loyola
University Maryland all information to which I have had access because of my position with the University. I understand that I
am not authorized to use this information for my own purposes, nor am I at liberty to provide this information to third parties
without the express written consent of the internal Loyola University Maryland ‘s Chief Information Officer, who is the
designated information Owner.
I have access to a copy of the Loyola University Maryland Information Security Policies Manual, I have read and understand
the manual, and I understand how it affects my job. As a condition of continued employment at Loyola University Maryland, I
agree to abide by the policies and other requirements found in that manual. I understand that non-compliance will be cause
for disciplinary action up to and including system privilege revocation, dismissal from Loyola University Maryland, and perhaps
criminal and/or civil penalties.
I agree to choose a password as described in the Loyola University Maryland Information Security Policies Manual, I agree not
to share this password with any other person, and I agree not to write this password down unless it has been transformed in
an unrecognizable way.
I also agree that I will promptly report all violations or suspected violations of information security policies to the Chief
Information Officer or the Director of Security Operations.
__________________________________________
Employee’s Signature