|
Please share this message with Business Managers and System Administrators in units that process customer credit cards using a university PC. It is also being sent to all Virtual Merchant users. New security requirements are being developed and will be enacted when university computers are used to process customer credit cards with a hosted payment solution such as Virtual Merchant. Over the past six months Business Affairs has been working with the Oregon State Treasury and their Qualified Security Assessor to clarify the requirements for using university PCs to process customer credit cards in a way that is compliant with the Payment Card Industry Data Security Standard (PCI DSS). The most significant change that will impact departments, particularly those using Virtual Merchant to process credit cards with a PC that is not already behind a university firewall, is the requirement for a Qualified Security Assessor (QSA) to perform quarterly network vulnerability scans. The cost of quarterly scan services, which Treasury is now negotiating with its QSA, will be passed on to university departments. To participate in the quarterly scans departments must register with Business Affairs the IP and MAC address of any PC used for credit card processing. Here is a draft version of the new university requirements: Any PC that is directly accessible over the internet (routable IP) and used to enter or swipe credit card data to obtain card authorizations through a hosted payment solutions such as Virtual Merchant or Paciolan, must meet the following three requirements: 1. Register the machine’s IP and MAC address with Business Affairs to that it can be scanned each quarter by a Qualified Security Assessor (QSA) and by Network and Telecom Services. 2. Segment the machine from the rest of the network (subnet) either using a hardware firewall or the operating system firewall with configuration limiting access to the machine itself. 3. Harden the machine to prevent malware infection. Anti-virus must be configured, current and operable (ideally using centralized policy). Operating system and other software must be patched and current using an audit and patch management system. The university has explored a variety of security measures to mitigate the risk of malware infection on PCs used to process credit cards: · Dedicated PC or netbook for credit card processing · Application whitelisting (MS Applocker or third party solutions) · Virtual desktop for credit card processing or all other university work While effective, none of these measures negate the previously stated quarterly scan, segmentation, and hardening requirements. Units can negate the external QSA scan requirement by limiting Virtual Merchant use to PCs that are behind a university provided firewall and therefore not accessible over the internet. Contact Network and Telecom Services for assistance. These PCs, however, must still be hardened as described above. If you would like to learn more about the new requirements and participate in their development please contact Mark McCulloch, BAO Assistant Director for Information Systems, at 6-6249. Over the past year we have seen a dramatic increase in the number of university PCs infected with information-stealing malware. This is particularly alarming since in some cases these PCs contain or process protected information such as: student records, personally identifiable information (SSN), health records, donor records, research subject information and customer credit card data. In a typical scenario an employee will visit a legitimate website with a banner advertisement containing malicious code that quietly installs a Trojan exploiting a vulnerability in Adobe Reader, Adobe Flash, Internet Explorer or Firefox. The Trojan begins logging keystrokes looking for protected data and at some point in time later begins transmitting the data to an un-trusted host computer in another country. The use of a university PC to process customer credit card data and browse the internet is inherently risky and the burden of PCI compliance has just become much more formidable. Many units began using Virtual Merchant because it was cheaper and could be run on any PC in the office. These advantages are now gone and units may be well advised to stop using Virtual Merchant and return to card swipe (Hypercom) terminals. Card swipe terminals are single purpose machines that are much more difficult to hack and very little department effort is required to comply with PCI standards. The BAO Cashiers can assist with the lease or purchase of Hypercom terminals. Both wired and wireless models are available. Contact Mike Syljuberget, Cashier Manager, at 6-3164.
Mark
McCulloch |