This document is the property of GRANITE GOLD SERVICES; it contains information that is proprietary, confidential, or otherwise restricted from disclosure. If you are not an authorized recipient, please return this document to the above-named owner. Dissemination, distribution, copying or use of this document in whole or in part by anyone other than the intended recipient is strictly prohibited without prior written permission of GRANITE GOLD SERVICES.
This document explains GRANITE GOLD SERVICES’s credit card security requirements as required by the Payment Card Industry Data Security Standard (PCI DSS) Program. GRANITE GOLD SERVICES management is committed to these security policies to protect information utilized by GRANITE GOLD SERVICES in attaining its business goals. All employees are required to adhere to the policies described within this document.
Scope of Compliance
The PCI requirements apply to all systems that store, process, or transmit cardholder data. Currently, GRANITE GOLD SERVICES’s cardholder environment consists only of limited payment applications (typically point-of-sale systems) connected to the internet, but does not include storage of cardholder data on any computer system.
Due to the limited nature of the in-scope environment, this document is intended to meet the PCI requirements as defined in Self-Assessment Questionnaire (SAQ) A-EP, ver. 3.0, released February, 2014. Should GRANITE GOLD SERVICES implement additional acceptance channels, begin storing cardholder data in electronic format, or otherwise become ineligible to validate compliance under SAQ A-EP, it will be the responsibility of GRANITE GOLD SERVICES to determine the appropriate compliance criteria and implement additional policies and controls as needed.
GRANITE GOLD SERVICES’s network will be configured with a requirement for a firewall at each Internet connection and between the internet-facing demilitarized zone (DMZ) containing the in-scope web server and the internal network zone that contains systems not directly involved in the payment process. (PCI Requirement 1.1.4)
The network administrator shall maintain documentation which details use of all services, protocols, and ports allowed into the internal network zone. This list will include business justification for any traffic allowed in or out of the network. It will also include documentation of security features implemented for those protocols considered to be insecure. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP v1 and v2. (PCI Requirement 1.1.6)
Firewalls must restrict connections between untrusted networks and any system in the cardholder data environment. An “untrusted network” is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity’s ability to control or manage. Access to the internet must be through a firewall, as must any direct connection to a vendor, processor, or service provider.(PCI Requirement 1.2)
Inbound and outbound traffic must be restricted by the firewalls to that which is necessary for the cardholder data environment. All other inbound and outbound traffic must be specifically denied. (PCI Requirement 1.2.1)
Firewall configuration must prohibit direct public access between the Internet and any system component in the cardholder data environment as follows:
Vendor-supplied defaults must always be changed before installing a system on the network. Examples of vendor-defaults include passwords, SNMP community strings, and elimination of unnecessary accounts. (PCI Requirement 2.1)
Configuration Standards for Systems
Configuration standards for all system components must be developed and enforced. GRANITE GOLD SERVICES must insure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. (PCI Requirement 2.2)
Configuration standards must be updated as new vulnerability issues are identified, and they must be enforced on any new systems before they are added to the cardholder data environment. The standards must cover the following:
System administrators and any other personnel that configure system components must be knowledgeable about common security parameter settings for those system components. They must also be responsible to insure that security parameter settings set appropriately on all system components before they enter production. (PCI Requirement 2.2.4)
Non-Console Administrative Access
Credentials for non-console administrative access must be encrypted using technologies such as SSH, VPN, or SSL/TLS. Encryption technologies must include the following: (PCI Requirement 2.3)
Processes must be in place to securely delete sensitive authentication data (defined below) post-authorization so that the data is unrecoverable. (PCI Requirement 3.2)
Payment systems must not store of sensitive authentication data in any form after authorization (even if encrypted). Sensitive authentication data is defined as the following:
Transmission of Cardholder Data
In order to safeguard sensitive cardholder data during transmission over open, public networks, GRANITE GOLD SERVICES will use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.). These controls will be implemented as follows: (PCI Requirement 4.1)
All systems, particularly personal computers and servers commonly affected by viruses, must have installed an anti-virus program which is capable of detecting, removing, and protecting against all know types of malicious software. (PCI Requirement 5.1, 5.1.1)
For systems considered to be not commonly affected by malicious software, GRANITE GOLD SERVICES will perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. (PCI Requirement 5.1.2)
All anti-virus programs must be kept current through automatic updates, be actively running, be configured to run periodic scans, and be capable of as well as configured to generate audit logs. Anti-virus logs must also be retained in accordance with PCI requirement 10.7. (PCI Requirement 5.2)
Steps must be taken to insure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. (PCI Requirement 5.3)
Risk and Vulnerability
GRANITE GOLD SERVICES will establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.
Risk rankings are to be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score, and/or the classification by the vendor, and/or type of systems affected. Methods for evaluating vulnerabilities and assigning risk ratings will vary based on an organization’s environment and risk-assessment strategy. Risk rankings should, at a minimum, identify all vulnerabilities considered to be a “high risk” to the environment. In addition to the risk ranking, vulnerabilities may be considered “critical” if they pose an imminent threat to the environment, impact critical systems, and/or would result in a potential compromise if not addressed. Examples of critical systems may include security systems, public-facing devices and systems, databases, and other systems that store, process, or transmit cardholder data. (PCI Requirement 6.1)
All critical security patches must be installed with one month of release. This includes relevant patches for operating systems and all installed applications. All applicable non-critical vendor-supplied security patches are installed within an appropriate time frame (for example, within three months). (PCI Requirement 6.2)
GRANITE GOLD SERVICES will enforce change control procedures for the implementation of security patches and software modifications to the in-scope system or systems. These procedures must include documented evidence of the following elements for each software change: (PCI Requirement 6.4.5)
GRANITE GOLD SERVICES’s software development practice will incorporate secure coding techniques at all levels of the development life cycle. Application developers should be properly trained to identify and resolve issues related to common coding vulnerabilities. Having staff knowledgeable of secure coding guidelines should minimize the number of security vulnerabilities introduced through poor coding practices. Training for developers will be provided in-house or by third parties and should be applicable for technology used to develop the customer facing web code.
All software development will be done with security in mind, and with practices that are aware of the following common issues at a minimum:
The vulnerabilities listed above were current with industry best practices when version 3.0 of the PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be incorporated into the development process.
For the public-facing web applications that are part of the payment process, in addition to secure coding GRANITE GOLD SERVICES must address new threats and vulnerabilities on an ongoing basis. These applications shall be protected against known attacks by one of either of the following methods: (PCI Requirement 6.6)
Limit Access to Cardholder Data
Access to GRANITE GOLD SERVICES’s cardholder system components and data is limited to only those individuals whose jobs require such access. (PCI Requirement 7.1)
Access limitations must include the following:
Access rights for privileged user IDs must be restricted to the least privileges necessary to perform job responsibilities. (PCI Requirement 7.1.2)
Privileges must be assigned to individuals based on job classification and function (also called “role-based access control). (PCI Requirement 7.1.3)
The following must be followed for all user accounts that have access to the system or systems that are part of the payment environment:
Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows: (PCI Requirement 8.5)
In addition to assigning a unique ID for each user, ensure proper user-authentication management for non-consumer users (i.e.: employees and contractors) and administrators on all system components by employing at least one of the following methods to authenticate all users: (PCI Requirement 8.2)
Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. (PCI Requirement 8.2.1)
Passwords/phrases must meet the following: (PCI Requirement 8.2.3)
Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.
Change user passwords/passphrases at least every 90 days. (PCI Requirement 8.2.4)
Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used. (PCI Requirement 8.2.5)
Set passwords/phrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use. (PCI Requirement 8.2.6)
Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned as follows: (PCI Requirement 8.6)
Two-factor authentication must be incorporated for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. (PCI Requirement 8.3)
Physically Secure All Areas and Media Containing Cardholder Data
Appropriate facility entry controls must be used to limit and monitor physical access to systems in the cardholder data environment. (PCI requirement 9.1)
Hard copy materials containing confidential or sensitive information (e.g., paper receipts, paper reports, faxes, etc.) are subject to the following storage guidelines:
All media must be physically secured. (PCI requirement 9.5)
Strict control must be maintained over the internal or external distribution of any kind of media containing cardholder data. These controls shall include: (PCI Requirement 9.6)
Strict control must be maintained over the storage and accessibility of media containing cardholder data. (PCI Requirement 9.7)
Destruction of Data
All media containing cardholder data must be destroyed when no longer needed for business or legal reasons. (PCI requirement 9.8)
Hardcopy media must be destroyed by shredding, incineration or pulping so that cardholder data cannot be reconstructed. (PCI requirement 9.8.1.a)
Containers storing information waiting to be destroyed must be secured (locked) to prevent access to the contents by unauthorized personnel. (PCI requirement 9.8.1.b)
Audit Log Collection
GRANITE GOLD SERVICES will implement technical controls that create audit trails in order to link all access to system components to an individual user. The automated audit trails created will capture sufficient detail to reconstruct the following events:
GRANITE GOLD SERVICES’s log generating and collecting solution will capture the following data elements for the above events:
Write logs for external-facing technologies such as the web server that provides the payment service onto a secure, centralized, internal log server or media device. (PCI Requirement 10.5.4)
Audit Log Review
GRANITE GOLD SERVICES’s systems administrators will perform daily review of the audit logs. This review may be manual or automated but must monitor for and evaluate: (PCI Requirement 10.6.1)
The audit review must also check the logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment. (PCI Requirement 10.6.2)
Subsequent to log review, systems administrators or other responsible personnel will follow up exceptions and anomalies identified during the review process. (PCI Requirement 10.6.3)
GRANITE GOLD SERVICES must retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). (PCI Requirement 10.7)
At least quarterly, and after any significant changes in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades), GRANITE GOLD SERVICES will perform vulnerability scanning on all in-scope systems. (PCI Requirement 11.2)
Quarterly external vulnerability scan results must satisfy the ASV Program guide requirements (for example, no vulnerabilities rated higher than a 4.0 by the CVSS and no automatic failures). External vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC). Scan reports must be retained for a minimum of a year. (PCI Requirement 11.2.2)
For external vulnerability scans, GRANITE GOLD SERVICES shall perform rescans as needed to validate remediation of failures detected during previous scans, as well as after any significant change to the network. Scans must be performed and reviewed by qualified personnel. (PCI Requirement 11.2.3)
Penetration testing of the system or systems providing the payment service must be performed by a qualified individual who implements a methodology for penetration testing that includes the following: (PCI Requirement 11.3)
Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). (PCI Requirement 11.3.1)
When exploitable vulnerabilities are found during penetration testing, the vulnerabilities must be corrected and testing then repeated to verify the corrections were effective. (PCI Requirement 11.3.3)
If segmentation is used to isolate the CDE from other networks, perform tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems. These tests need to be done from multiple locations on the internal network, checking both for improper accessibility from the out-of-scope zones to the in-scope zone as well as the reverse. (PCI Requirement 11.3.4)
For all in-scope systems for which it is technically possible, GRANITE GOLD SERVICES must deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. The change detection software must be integrated with the logging solution described above, and it must be capable of raising alerts to responsible personnel. (PCI Requirement 11.5.1)
For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change-detection mechanisms such as file-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider). (PCI Requirement 11.5)
GRANITE GOLD SERVICES shall establish, publish, maintain, and disseminate a security policy that addresses how the company will protect cardholder data. (PCI Requirement 12.1)
This policy must be reviewed at least annually, and must be updated as needed to reflect changes to business objectives or the risk environment. (PCI requirement 12.1.1)
GRANITE GOLD SERVICES’s policies and procedures must clearly define information security responsibilities for all personnel. (PCI Requirement 12.4)
Incident Response Policy
The Security Manager shall establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. (PCI requirement 12.5.3)
Employees must be aware of their responsibilities in detecting security incidents to facilitate the incident response plan and procedures. All employees have the responsibility to assist in the incident response procedures within their particular areas of responsibility. Some examples of security incidents that an employee might recognize in their day to day activities include, but are not limited to,
Reporting an Incident
The Security Manager should be notified immediately of any suspected or real security incidents involving cardholder data:
Contact the Security Manager to report any suspected or actual incidents. The Internal Audit’s phone number should be well known to all employees and should page someone during non-business hours.
No one should communicate with anyone outside of their supervisor(s) or the Security Manager about any details or generalities surrounding any suspected or actual incident. All communications with law enforcement or the public will be coordinated by the Security Manager.
Document any information you know while waiting for the Security Manager to respond to the incident. If known, this must include date, time, and the nature of the incident. Any information you can provide will aid in responding in an appropriate manner.
Incident Response Policy (PCI requirement 12.10.1)
Responses can include or proceed through the following stages: identification, severity classification, containment, eradication, recovery and root cause analysis resulting in improvement of security controls.
Contain, Eradicate, Recover and perform Root Cause Analysis
Provide the compromised Visa accounts to Visa Fraud Control Group within ten (10) business days. For assistance, contact 1-(650)-432-2978. Account numbers must be securely sent to Visa as instructed by the Visa Fraud Control Group. It is critical that all potentially compromised accounts are provided. Visa will distribute the compromised Visa account numbers to issuers and ensure the confidentiality of entity and non-public information. See Visa’s “What to do if compromised” documentation for additional activities that must be performed. That documentation can be found at http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_what_to_do_if_compromised.pdf
Contact your merchant bank for specific details on what to do following a compromise. Details on the merchant bank (aka. the acquirer) can be found in the Merchant Manual at http://www.mastercard.com/us/wce/PDF/12999_MERC-Entire_Manual.pdf. Your merchant bank will assist when you call MasterCard at 1-(636)-722-4100.
Contact your relationship manager or call the support line at 1-(800)-347-3083 for further guidance.
Root Cause Analysis and Lessons Learned
Not more than one week following the incident, members of the Security Manager and all affected parties will meet to review the results of any investigation to determine the root cause of the compromise and evaluate the effectiveness of the Incident Response Plan. Review other security controls to determine their appropriateness for the current risks. Any identified areas in which the plan, policy or security control can be made more effective or efficient, must be updated accordingly.
GRANITE GOLD SERVICES shall establish and maintain a formal security awareness program to make all personnel aware of the importance of cardholder data security. (PCI Requirement 12.6)
GRANITE GOLD SERVICES shall implement and maintain policies and procedures to manage service providers. (PCI requirement 12.8)
This process must include the following:
FREE SHIPPING On Orders $50 Or More. Contiguous U.S. States Only.