Description#
The IT Common PLatform supports applications that requires PCI DSS v4.0 SAQ-A compliance. These application do not process payments, but link to a payment processor. Receipts with account data are handled.
Requirements Applicable to ITCP#
We have identified the requirements that apply to our service and have made comments on how we meet them in bold lettering under each item.
Requirement 2: Apply Secure Configurations to All System Components#
-
2.2.2 - Change default passwords
The ITCP does not use default passwords.
Requirement 6: Develop and Maintain Secure Systems and Software#
-
6.3.1 - Security vulnerabilities are identified and managed as follows:
- New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs).
- Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact.
- Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment.
We use Trivy to track vulnerabilities and their criticality. We receive alerts in the #it-common-platform-alerts Slack channel for critical security issues from AWS.
-
6.3.3 - All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows:
- Critical or high-security patches/updates are installed within one month of release.
Critical vulnerabilities are mandated to be patched within a week per the Virginia Tech IT Security Office. We also perform at least a monthly review of vulnerabilities and patch as necessary.
Requirement 8: Identify Users and Authenticate Access to System Components#
-
8.2.2 - Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary on an exception basis, and are managed as follows:
- Account use is prevented unless needed for an exceptional circumstance.
- Use is limited to the time needed for the exceptional circumstance.
- Business justification for use is documented.
- Use is explicitly approved by management.
- Individual user identity is confirmed before access to an account is granted.
- Every action taken is attributable to an individual user.
We do not use shared authentication credentials for individual users for our systems. Access logs are sent to Splunk and stored for at least 6 months.
-
8.2.5 - Access for terminated users is immediately revoked.
We revoke access for ITCP personnel who are terminated.
-
8.3.1 - All user access to system components for users and administrators is authenticated via at least one of the following authentication factors:
- Something you know, such as a password or passphrase.
- Something you have, such as a token device or smart card.
- Something you are, such as a biometric element.
All access is granted through two factor authentication.
-
8.3.5 - If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they are set and reset for each user as follows:
- Set to a unique value for first-time use and upon reset.
- Forced to be changed immediately after the first use.
The university follows this procedure for password provisioning and resets.
-
8.3.6 - If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity:
- A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters).
- Contain both numeric and alphabetic characters.
The university password standard meets this: https://it.vt.edu/projects/accounts/passphrase.html
-
8.3.7 - Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.
Met by the university standard (can’t be the same as any of your last five passwords).
-
8.3.9 - If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either:
- Passwords/passphrases are changed at least once every 90 days, OR
- The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly.
Not applicable - we use two factor authentication.
Requirement 9: Restrict Physical Access to Cardholder Data#
- 9.4.1 - All media with cardholder data is physically secured.
-
9.4.1.1 - Offline media backups with cardholder data are stored in a secure location.
All media is stored in the AISB or Cassell Coliseum data centers, which are secured. All data on our NetApp appliances is encrypted at rest.
-
9.4.2 - All media with cardholder data is classified in accordance with the sensitivity of the data.
All media is treated as containing sensitive data and is wiped using DBAN before being transferred from the secure building. The wipe is performed with 3 passes per wipe, 2 passes of random characters, and one pass to write all zeros.
-
9.4.3 - Media with cardholder data sent outside the facility is secured as follows:
- Media is sent by secured courier or other delivery method that can be accurately tracked.
Media is not sent outside the facility unless it is securely wiped.
-
9.4.4 - Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals).
Media is not sent outside the facility unless it is securely wiped.
Requirement 11: Test Security of Systems and Networks Regularly#
-
11.3.2 - External vulnerability scans are performed as follows:
- At least once every three months.
- By PCI SSC Approved Scanning Vendor (ASV).
- Vulnerabilities are resolved and ASV Program Guide requirements for a passing scan are met.
- Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirements for a passing scan.
The PCI office coordinates external scans. The ITCP team will perform any needed actions upon notification.
-
11.3.2.1 - External vulnerability scans are performed after any significant change as follows:
- Vulnerabilities that are scored 4.0 or higher by the CVSS are resolved.
- Rescans are conducted as needed.
- Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a QSA or ASV).
The PCI office coordinates external scans. The ITCP team will perform any needed actions upon notification.
Requirement 12: Support Information Security with Organizational Policies and Programs#
-
12.10.1 - An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident. The plan includes, but is not limited to:
- Roles, responsibilities, and communication and contact strategies in the event of a suspected or confirmed security incident, including notification of payment brands and acquirers, at a minimum.
- Incident response procedures with specific containment and mitigation activities for different types of incidents.
- Business recovery and continuity procedures.
- Data backup processes.
- Analysis of legal requirements for reporting compromises.
- Coverage and responses of all critical system components.
- Reference or inclusion of incident response procedures from the payment brands.
The Virginia Tech IT Security Office maintains an incident response guide: https://security.vt.edu/docs/incident/incident_response.pdf