Table of contents
Purpose
This document establishes a formal testing standard and outlines the related requirements specified in the Payment Card Industry Data Security Standards (PCI DSS) that must be implemented into all University of Maryland (UMD) network infrastructures that are processing cardholder data.
Additional authority
The following standards help guide the content of this document: Payment Card Industry Data Security Standard - Requirement 11.
Scope
This standards applies to all UMD network infrastructures that are transmitting and processing cardholder data. PCI DSS defines the following data elements as cardholder data.
- Full Primary Account Number (PAN)
- Full PAN plus any of the following:
- cardholder name
- expiration date
- service code
- information from magnetic strip or card chip
- Personal Identification Number (PIN)
Standard
Testing must be performed on networks that are processing cardholder data to ensure that the technical security controls that are in place are functioning properly and protecting against the most current vulnerabilities. Additionally, performing testing on networks can assist with discovering security vulnerabilities and potential compromises. The requirements specified in this standard details the network testing requirements that must be followed in order to be compliant with PCI DSS.
NOTE: As a general rule, every PCI Standard should be reviewed annually and updated as needed to reflect changes to business objectives or the risk environment.
Requirements
- Implement processes to test for the presence of wireless access points (802.11) and detect and identify all authorized and unauthorized wireless access points attached to cardholder networks on a quarterly basis. Maintain an inventory of authorized wireless access points and implement incident response procedures in the event unauthorized wireless access points are detected.
- Run internal and external network vulnerability scans at least quarterly and after any significant change in the network. Address vulnerabilities and perform rescans as needed until passing scans are achieved. After passing a scan for initial PCI DSS compliance, an entity must, in subsequent years, complete four consecutive quarters of passing scans. Quarterly external scans must be performed by an Approved Scanning Vendor. Scans conducted after network changes and internal scans may be performed by internal staff. Vulnerabilities with a CVSS score of 7 or greater must be remediated for internal scans. A CVSS score of 4 or greater requires remediation for external scans.
- Develop and implement a methodology for penetration testing that includes external and internal penetration testing at least annually and after any significant upgrade or modification. If segmentation is used to reduce PCI DSS scope, perform penetration tests at least annually to verify the segmentation methods are operational and effective. Service providers using segmentation must confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after making changes to these controls.
- Use network intrusion detection and/or intrusion prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment, and alert personnel to suspected compromises. IDS/IPS engines, baselines, and signatures must be kept up to date.
- Deploy a change detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files. Configure the software to perform critical file comparisons at least weekly. Implement a process to respond to any alerts generated by the change-detection solution.