Purpose

This document establishes a formal access control standard and outlines the related requirements specified in the Payment Card Industry Data Security Standards that must be implemented into all UMD network infrastructures that are processing cardholder data.

Top

Additional authority

The following standards help guide the content of this document: Payment Card Industry Data Security Standard - Requirements 7, 8, and 9.

Top

Scope

This standard applies to all UMD network infrastructures that are transmitting and processing cardholder data. PCI DSS defines the following data elements as cardholder data: full Primary Account Number (PAN) or full PAN plus any of the following: Cardholder name, expiration date, service code, information from magnetic strip or card chip, and/or Personal Identification Number.

Top

Standard

Access to networks processing cardholder data must be controlled in order to minimize the likelihood of unauthorized access to, and modification of, the cardholder data. An effective access control program requires that security controls are implemented to provide detection, prevention and protection against unauthorized access vulnerabilities. These security controls are addressed by the requirements specified in this standard and must be implemented in order to be compliant with the PCI DSS access control related requirements.

NOTE: As a general rule, every PCI Standard should be reviewed annually and updated as needed to reflect changes to business objectives or the risk environment.

Top

Requirements

Accessing cardholder data

• A formal process must be developed and utilized to ensure that access to system components and cardholder data is limited to those individuals whose jobs requires such access.
• Access rights must reflect employee status, job classification, or function and be granted based on the minimum access needed to perform their job duties. Access must be set to "deny all" unless specifically allowed.
• Departments must establish a methodology for reviewing the access rights granted to all system users with access to cardholder data.
• Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.

Top

Authentication and identification

• Access shall be established in a manner such that every user is uniquely identifiable.
• Access to cardholder data via a group, shared, or generic IDs is prohibited.
• If the department systems are not integrated into the university's Central Authentication System, the department must ensure that their authentication system:
  • Meets the minimum password requirements specified in the USM IT Security Standards.
  • Utilizes multi-factor authentication on all user and administrative accounts. The authentication mechanisms must be assigned to individual user accounts.
• All access to any database containing cardholder data must be restricted: all user access must be through programmatic methods; only database administrators can have direct or query access; and application IDs for database applications can only be used by the applications (and not by users or non-application processes).
• Ensure that related authentication and security policies and operational procedures are documented, in use, and known to all affected parties.

Top

Restrict physical access of cardholder data

• Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
• Develop procedures to easily distinguish between onsite personnel and visitors, such as assigning ID badges.
• Control physical access for onsite personnel to the sensitive areas. Access must be authorized and based on individual job function; system access as well as physical access must be revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc. returned or disabled.
• Ensure all visitors are authorized before entering areas where cardholder data is processed or maintained, given a physical badge or other identification that expires and identifies visitors as not onsite personnel, and are asked to surrender the physical badge before leaving the facility or at the date of expiration. Use a visitor log to maintain a physical audit trail of visitor information and activity, including visitor name, company, and the onsite personnel authorizing physical access. Retain the log for at least three months unless otherwise restricted by law.
• Maintain strict control over the internal or external distribution of any kind of media.
• Media containing cardholder data must be physically stored in a secure location and only authorized individuals should be granted access to this location.
• Media backups should be stored in a secure off site location.
• Media must be destroyed when no longer needed.
• Regular inspections of Point of Sale devices must be performed so that any signs of tampering is discovered quickly. IT Security must be contacted immediately if POS devices show any signs of tampering.
• Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.

Top