Download LOGO - The Ray Society

The Ray Society
(Registered Charity No. 208082)
Credit Card Security Policy
PCI DSS 2.0
Version 1.0 [DRAFT 2]
01 September 2013
CONFIDENTIAL INFORMATION
This document is the property of The Ray Society. If you are not an authorised recipient, please return this
document to the above-named owner. Dissemination, distribution, copying or use of this document in whole or in
part by anyone other than the intended recipient is strictly prohibited without prior written permission of The Society.
1 of 7
Revision History
Changes
Approving Manager
Date
Initial Publication
Glossary
The Ray Society (‘The Society’)
A book publishing charity. The Society is managed by a council of volunteers. It has members
who pay a subscription to The Society and in exchange receive notification of forthcoming
publications and discounted purchases. The members play no part in the management of The
Society.
Trustees
Members of the Ray Society’s Council. The Council meets twice yearly and manages The Society.
Officers
The Honorary Secretary and Honorary Treasurer. These primary officers are members of Council
and hence also Trustees. They manage, outside their normal employment, the day to day
business of The Society as delegated by Council. Council may also appoint an Assistant Honorary
Secretary. An Assistant Honorary Secretary is an officer of The Society but is not necessarily a
member of Council.
“Officers and trustees”
A form of words used here to include all trustees, plus any officers who are not trustees.
“Institution physically hosting The Ray Society”
The Society neither rents nor owns premises. The Society’s archive, papers and – for the
purposes of this document – credit and debit card facilities are physically located in the premises of
the organisation employing The Society’s primary officers. This is currently The Natural History
Museum, London, which by agreement acts as host institution and postal address for The Society.
“Force of Law”
A form of words used here to include a Court Order or any other legal requirement.
2 of 7
Introduction and Scope
Introduction
The Ray Society is a natural history book publishing charity. The Society may make credit card sales of books by
face-to-face or telephone transactions using a credit card reader. This document explains The Ray Society’s
credit card security requirements as laid down by the Payment Card Industry Data Security Standard (PCI DSS)
programme. The Ray Society’s officers and trustees are committed to these security policies to protect
information utilised by The Ray Society in attaining its charitable objectives. All officers and trustees are required
to adhere to the policies described within this document.
Scope of Compliance
The PCI requirements apply to all systems that store, process, or transmit cardholder data. Currently, The
Society’s cardholder environment consists only of imprint machines or standalone dial-out terminals. The
environment does not include storage of cardholder data on any computer system.
Due to the limited nature of the in-scope environment, this document is intended to meet the PCI requirements as
defined in Self-Assessment Questionnaire (SAQ) B, ver. 2.0, October, 2010. Should The Society implement
additional acceptance channels, begin storing, processing, or transmitting cardholder data in electronic format, or
otherwise become ineligible to validate compliance under SAQ B, it will be the responsibility of The Society to
determine the appropriate compliance criteria and implement additional policies and controls as needed.
Relevant PCI DSS Requirements
Requirement 3: To Protect Stored Cardholder Data
Prohibited Data
The Society employs procedures securely to delete sensitive authentication data post-authorisation so the data
are unrecoverable (PCI Requirement 3.2).
The Society’s Officers shall not receive card-holders’ financial data (card numbers or three digit security numbers)
electronically other than directly to a card-reading device. Receiving such data during a telephone call from the
purchaser for a ‘customer not present’ transaction is permitted. The Society’s Officers shall not input cardholders’ financial data onto any computer system. A Society officer may make a hand-written note of cardholders’ financial data at the time of a face-to-face or telephone purchase. Once payment has been authorised
The Society officer taking the payment shall commit the handwritten note and, in the case of telephone
transactions the printed receipt, to a confidential shredding bag belonging to the institution physically hosting The
Society. This bag shall be secured in a locked filing cabinet within a room which is itself locked when not
occupied until removed by the institution physically hosting The Society to be shredded with its own confidential
papers.
The Society’s payment systems shall adhere to the following requirements regarding non-storage of sensitive
authentication data after authorisation (even if encrypted):
The full contents of any track data from the magnetic stripe (located on the back of a card, equivalent data
contained on a chip, or elsewhere) are not stored under any circumstance (PCI Requirement 3.2.1).
The card verification code or value (three-digit or four-digit number printed on the front or back of a
payment card) is not stored under any circumstance (PCI Requirement 3.2.2).
The personal identification number (PIN) or the encrypted PIN block is not stored under any circumstance
(PCI Requirement 3.2.3).
3 of 7
Displaying the primary account number (PAN)
On any occasion where authorised persons must on behalf of The Society retain card-holders’ financial data for a
legitimate purpose for any time beyond payment authorisation these persons shall mask the display of the PAN to
show no more than the first six and the last four digits of the number and shall limit the viewing of these numbers
to only those parties with a legitimate need (PCI requirement 3.3).
Requirement 4: Transmission of Cardholder Data Across Open, Public Networks
Transmission of Cardholder Data
Sending unencrypted PANs by end-user messaging technologies is prohibited. Examples of end-user
technologies include email, instant messaging and chat (PCI requirement 4.2). The Society shall not transmit
card-holders’ financial data by electronic means to any party unless exceptionally obliged to do so by force of law.
Requirement 7: Access to Cardholder Data by Sales Processing must be ‘Need to
Know’
Limit Access to Cardholder Data
Access to The Society’s cardholder system components and data is limited to only those individuals whose roles
require such access (PCI Requirement 7.1). Access shall be restricted to the three primary officers of The
Society for the time being: the President; the Honorary Treasurer; and the Honorary Secretary.
Requirement 9: To Restrict Physical Access to Cardholder Data
Physically Secure all Media Containing Cardholder Data
Hard copy materials containing confidential or sensitive information (e.g., paper receipts, paper reports, faxes,
etc.) are subject to the following storage guidelines:
All media must be physically secured (PCI requirement 9.6). The Society’s hard copy materials shall be treated
as described under Requirement 3 above.
Strict control must be maintained over the internal or external distribution of any kind of media containing cardholder data. These controls shall include:
Media must be classified so the sensitivity of the data can be determined (PCI Requirement 9.7.1). The
Society shall treat all cardholder data as of the highest category of sensitivity.
Media must be sent by a secure carrier or other delivery method that can be accurately tracked (PCI
Requirement 9.7.2). The Society shall not distribute media in the normal course of its activities but if media
need to be distributed (e.g. by force of law) then they shall be sent by a secure method and tracking their
delivery shall be mandatory.
Council must approve any and all movement of media from a secured area (PCI Requirement 9.8). For any
purpose other than removal for confidential disposal as described under Requirement 3 above Council’s approval
(from at least The Society’s President acting on Council’s behalf or in the absence of the President a VicePresident acting on Council’s behalf) shall be obtained prior to moving any media from a secure area and logs
shall be maintained of the movement of any media.
Strict control must be maintained over the storage and accessibility of media containing cardholder data (PCI
Requirement 9.9). The Society shall not store media containing cardholder data beyond the terms described
under Requirement 3 above unless exceptionally required to do so (e.g. by force of law).
Destruction of Data
All media containing cardholder data must be destroyed when no longer needed for sales or legal reasons (PCI
requirement 9.10). The Society shall not generate electronic media recording cardholder data. Hardcopy media
must be destroyed by shredding, incineration or pulping so that cardholder data cannot be reconstructed. Any
container storing information waiting to be destroyed must be secured to prevent access to the contents (PCI
4 of 7
requirement 9.10.1). The Society shall destroy hardcopy media containing cardholder data as described under
Requirement 3 above.
Requirement 12: Maintain a Policy that Addresses Information Security for The
Society’s Officers, Trustees, Members, Visitors, and Contractors (including but not
limited to printers and their agents)
Security Policy
The policy herein stated, ‘The Ray Society Credit Card Security Policy’, is The Society’s security policy under the
terms of PCI Requirement 12.1.
The Society shall review this policy each year at the meeting of Trustees immediately prior to the Annual
General Meeting of members. The review shall consider any and all relevant changes to data protection
regulations and any and all relevant changes to the physical environment in which The Society acquires, uses
and destroys the personal data. If required the Trustees shall advise and monitor any required changes to this
policy and arrange for the timely dissemination of the updated version. A copy of the policy shall be freely
available on the website of The Society.
Critical Technologies
(to be finalised)
The Ray Society shall establish usage policies for critical technologies (for example, remote-access technologies,
wireless technologies, removable electronic media, laptops, tablets, personal data/digital assistants (PDAs),
email, and internet usage. (PCI requirement 12.3)
XXXXXXXXXXXXX
These policies must include the following:
Explicit approval by authorised parties to use the technologies (PCI Requirement 12.3.1)
A list of all such devices and personnel with access (PCI Requirement 12.3.3)
Acceptable uses of the technologies (PCI Requirement 12.3.5)
Paul,
Slightly puzzled by your response here. You say,
“The Society does not employ any removable electronic media, laptop computers, tablet computers, personal
data/digital assistants (PDAs), email and internet usage for the storage or transfer of card-holders’ financial data.
Our system is safe and run by the museum IT system.
[Does this mean you do use desktop computers? If so, for what? I’m assuming the card reader uses the
telephone lines rather than the internet. Please correct me if I’m wrong.]
We consider that our pay pal system is OK
[Yipes! Is that different to the card reader? Please explain how that works to a dimwit if that is different to the
card reader. We’ll have to check whether that falls under the PCI DSS requirements. I hope not.]
because they do not give us any access to card numbers, just name and addresses.”
Security Responsibilities (PCI Requirement 12.4).
Only The Society’s officers shall have access to the personal financial data of members or other purchasers.
Postal addresses may be passed to The Society’s agents (for example printers or distributors of The Society’s
published products) to facilitate the dispatch of goods but personal financial data shall not form part of that
information transfer.
Security Incident Identification
5 of 7
Officers must be aware of their responsibilities in detecting security incidents to facilitate the incident response
plan and procedures (See Schedule 1 below). All officers have a responsibility to assist in the incident response
procedures. Some examples of security incidents that an officer might recognise in their day to day activities
include, but are not limited to,

Theft, damage, or unauthorised access (e.g., papers missing from their desk, broken locks, missing log
files, alert from a security guard, video evidence of a break-in or unscheduled/unauthorised physical
entry).

Fraud – Inaccurate information within databases, logs, files or paper records.
Incident Response (PCI Requirement 12.5.3).
The Society through the agency of any person first noticing a security incident shall report the incident to the
security office of the institution physically hosting The Society as soon as the incident is noticed. The Society
shall at all times follow the instructions of, and give full and unrestricted assistance to, the security officers of said
institution in their investigation into the causes and consequences of the incident. The Society shall maintain
detailed documentation regarding any incident independently of the host institution’s security investigation to
ensure all possible steps are taken to minimize the damage in any security incident and to provide information
that can be used to ensure such incidents cannot recur. Any incident or suspected incident should also be
reported immediately upon discovery to the President (or in the absence of the President a Vice-President) of The
Society.
The officer noticing the suspected or real security breach must document any pertinent information while waiting
for the President (or Vice-President) and the security office of the institution physically hosting The Society to
respond to the incident. If known, this must include date, time, the nature of the incident and the names of any
customers or other individuals personally affected or potentially affected by the suspected or real breach. See
also Schedule 1 below.
Security Awareness (PCI Requirements 12.6 & 12.9).
The President of the Society shall ensure the Society’s officers are fully trained in the protection of purchasers’
personal financial data at the time the officer first takes up their duties for The Society and shall satisfy him- or
her-self at least once every year, at or around the time of the Annual General Meeting of the Society, that the
officers for the time being are conversant with The Society’s policies and practices with regard to data security
and that all policies that should be implemented on a daily basis are in fact being implemented.
Service Providers (PCI requirement 12.8).
The Society shall not pass to service providers any personal financial data. The Society may pass to service
providers the names and postal addresses of purchasers or reviewers of the Society’s products to facilitate
despatch of goods to these persons and may inform service providers if required whether named purchasers
have completed payment for the goods.
The Society’s officers shall maintain written records of all and any service providers engaged in business dealings
with the Society (including but not limited to printers and those storing and/or distributing the Society’s products)
and shall keep written records of what personal information has been passed to each service provider, clearly
indicating the date the information was passed and how (PCI requirement 12.8.1).
Encl. Schedule 1
6 of 7
Schedule 1
Security Incident Response
The Society’s responses may include or proceed through the following stages: identification, classification of
severity, containment, eradication, recovery and root cause analysis resulting in improvement of security controls.
Contain, Eradicate, Recover and perform Root Cause Analysis
1. Notify applicable card associations.
Visa
Provide the compromised Visa accounts to Visa Fraud Control Group within ten (10) business days. For
assistance, contact the merchant / acquiring bank. Account numbers must be securely sent to Visa as
instructed by the Visa Fraud Control Group. It is critical that all potentially compromised accounts are
provided. Visa will distribute the compromised Visa account numbers to issuers and ensure the
confidentiality of entity and non-public information. Visa’s “What to do if compromised” documentation for
additional activities that must be performed. That documentation can be found at
http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_what_to_do_if_compromised.pdf
MasterCard
Contact your merchant bank for specific details on what to do following a compromise. Your merchant
bank will assist when you call MasterCard.
Discover Card
Contact your relationship manager or call the support line for further guidance.
2. Alert all necessary parties. Be sure to notify:
a. Merchant / Acquiring bank
b. Regional law enforcement agency
c.
Local authorities (if appropriate)
3. Perform an analysis of legal requirements for reporting compromises in every country where purchasers were
affected.
4. Collect and protect information associated with the intrusion. In the event that forensic investigation is
required the President (or Vice-President) and officers will work with security, management and legal
personnel of the institution physically hosting The Ray Society to identify appropriate forensic specialists.
5. Eliminate the intruder's means of access and any related vulnerabilities.
6. Research potential risks related to or damage caused by intrusion method used.
Root Cause Analysis and Lessons Learned
Not more than one week following the incident, The Society’s officers and security officers from the institution
physically hosting The Society shall meet to review the results of any investigation to determine the root cause of
the security breach and evaluate the effectiveness of the Incident Response Plan. They shall also review other
security controls to determine their appropriateness for the current risks. Any identified areas in which the plan,
policy or security control can be made more effective or efficient, must be updated accordingly.
̶ END ̶
7 of 7