Table of contents
Purpose
This document establishes a formal vulnerability management standard and outlines the related requirements specified in the Payment Card Industry Data Security Standards that must be implemented into all UMD network infrastructures that are processing cardholder data.
Additional authority
The following standards help guide the content of this document: Payment Card Industry Data Security Standard - Requirements 5 and 6.
Scope
This standard applies to all UMD network infrastructures that are transmitting and processing cardholder data. PCI DSS defines the following data elements as cardholder data: full Primary Account Number or full PAN plus any of the following: cardholder name, expiration date, service code, information from magnetic strip or card chip, and/or Personal Identification Number.
Standard
Vulnerabilities must be managed on UMD departmental and affiliated vendor networks that are handling cardholder data in order to decrease the likelihood of unauthorized individuals gaining access to this data. An effective vulnerability management program requires that security controls are implemented to provide detection, prevention and protection against vulnerabilities. These security controls are addressed by the requirements specified in this standard and must be implemented in order to be compliant with the PCI DSS Vulnerability Management Program requirements.
NOTE: As a general rule, every PCI Standard should be reviewed annually and updated as needed to reflect changes to business objectives or the risk environment.
Requirements
Malware protection
- Deploy anti-virus software on all systems running Windows and Apple operating systems.
- Anti-virus software can be downloaded free of charge from TERPware or departments may install anti-virus software of their choosing.
- The deployment of anti-virus software on Linux based systems is suggested but not required.
- Automatic updates must be enabled on the anti-virus software so that the most current virus definitions and software version will be utilized at all times.
- The anti-virus software must be configured to automatically perform virus scans of systems at regular intervals as well as delete or quarantine any discovered viruses.
- Anti-virus logs should include details relating to the discovery of malicious code and what action was taken to contain it.
- Anti-virus logs must be retained for at least a year.
- The anti-virus software must be centrally managed and have controls in place that restricts regular users from disabling or tampering with the anti-virus software configurations.
- Malware protection related security policies and operational procedures must be documented, in use, and known to all affected parties.
Vulnerability scanning
- All networks that are handling cardholder data must coordinate with DIT Security and provide the appropriate information so that monthly vulnerability scans can be performed on the network.
- Quarterly external scans will be performed by a PCI Approved Scanning Vendor.
- All vulnerabilities discovered that are rated medium or higher must be resolved or remediated.
- High risk vulnerabilities must be resolved within 10 business unless a written exception or extension has been requested by the system owner or administrator and approved by DIT Security.
Patching
- Vendor-supplied security patches must be installed in a timely manner. When critical security patches are released, they must be installed within a month.
- An automatic method should be established for notification when new patches are available.
- All patches must be evaluated and test prior to deployment.
- A record of patches that have been deployed and the affected systems should be documented and maintained.
Develop and maintain secure systems
- Develop internal and external software applications including web-based administrative access to applications in accordance with PCI DSS and based on industry best practices. Incorporate information security throughout the software development life cycle. This applies to all software developed internally as well as bespoke or custom software developed by a third party.
- Custom code should be reviewed prior to the application being put into production in order to identify any potential coding vulnerabilities.
- Follow change control processes and procedures for all changes to system components. Ensure all relevant PCI DSS requirements are implemented on new or changed systems and networks after significant changes.
- Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines--including how sensitive data is handled in memory. Common coding vulnerabilities include:
- Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.
- Buffer overflow.
- Insecure cryptographic storage.
- Insecure communications.
- Improper error handling.
- All "High Risk" vulnerabilities identified in the vulnerability identification.
- Cross-site scripting (XSS).
- Cross-site request forgery (CSRF).
- Coding techniques must address broken authentication and session management
- Ensure all public-facing web applications are protected against known attacks, either by performing application vulnerability assessment at least annually and after any changes, or by installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.
- Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.