Data Classification and Controls Policy for PCI DSS

Thursday, March 01, 2012

Danny Lieberman

959779642e6e758563e80b5d83150a9f

Do you run an e-commerce site?

Are you sure you do not store any payment card data or PII (personally identifiable information) in some MySQL database?

The first step in protecting credit card and customer data is to know what sensitive data you really store, classify what you have  and set up the appropriate security controls.

Here is a policy for any merchant or payment processor who wants to achieve and sustain PCI DSS 2.0 compliance and protect customer data.

I. Introduction

You need to identify and apply controls to the data types identified in this policy. The data types identified below are considered digital assets and are to be controlled and managed as specified in this policy while retained or processed by the organization.

You should identify and inventory all systems that store or process this information and will audit these systems on a semi-annual bases for effectiveness of controls to manage the data types.

II. Background

The Payment Card Industry (PCI) Security Standard is a requirement for all financial institutions and merchants that use or process credit card information. This security standard is designed to help protect the integrity of the credit card systems and to help mitigate the risk of fraud and identity theft to the individuals who use credit cards to make purchases for goods and services.

The PCI Security Standard was originally introduced by by VISA as the Cardholder Information Security Program (CISP) and specified the security controls for each level or merchant and credit card processor.

In 2004 the major brands in the card payment industry agreed to adopt the CISP standard and requirements and a single industry standard in order to reduce the costs of implementation and assessment and increase the rate of adoption.

Most organizations were required to meet all requirements of the PCI security standard by June 30th 2005 and it is now an ongoing compliance process with merchants, payment processors and issuers.

III. General Policy Statement

All Credit Card Information and associated data is company confidential and will not be transmitted over public networks in the clear. Credit Card information can only be transmitted encrypted and only for authorized business purposes to authorized parties that have been approved to receive credit card information.

IV. Data Classifications of Credit Card Information Personally Identifiable Information Data Description and Policy

Any information that is collected about the owner of the credit card such as their name, signature, address, phone number or driver’s license number or social security number will be classified and controlled as PERSONALLY IDENTIFIABLE INFORMATION or PII.

As a general rule to help the user identify PII data consider if a reasonable person with a reasonable level of effort could use the information to identify an individual. PII data is confidential to the organization and can only by used for specific purposes which are listed below.

Only pre-authorized parties are allowed to receive PII data and only through authorized communication channels.

Examples

The following examples are for illustration only and do not necessarily comprise a complete set of all types of Personally Identifiable Information:

  • Name
  • Address
  • Phone Number(s)
  • Drivers License
  • Social Security Number

Authorized Uses

  • To provide customer service
  • To ship products or deliver services to a customer
  • To collect or process payment for products or services
  • To facilitate planning or to support marketing plans

Authorized Channels for Communication

  • Official Electronic Mail System of the Organization
  • File Transfer Protocol
  • Web Services

Controls

  • Encrypt data when stored on magnetic media
  • Encrypt data when transmitted over public networks
  • Label as confidential when printed
  • De-identify data when used for other than authorized purposes
  • Retain data for no more than three years
  • Destroy data upon three year anniversary

Sample DataSafe Business Rule

PII Data AND Credit Card Data in any channel will be block if unencrypted

Credit Card Information Data Description and Policy

Credit Card Information will include the credit card number, the type of credit card (such as Visa, MasterCard, Discover, etc.) the security code and the expiration data. In addition to the basic credit card information other information such as the issuing bank or financial institution is considered part of the credit card information.

Credit Card Information is considered confidential to the organization and can only by used for specific purposes, which are listed below. Only pre-authorized parties are allowed to receive Credit Card data and only through authorized communication channels.

Examples

The following examples are for illustration and are considered the comprehensive set of Credit Card Information:

  • Type of Credit Card
  • Name on Credit Card
  • Credit card Number
  • Expiration Data
  • Security Code

Authorized Uses

  • To provide customer service
  • To support accounting or reconciliation business processes
  • To investigate fraud or criminal activities
  • To collect or process payment for products or services

Authorized Channels for Communication

  • Official Electronic Mail System of the Organization
  • File Transfer Protocol
  • Web Services

Controls

  • Encrypt data when stored on magnetic media
  • Encrypt data when transmitted over public networks
  • De-identify data when used for other than authorized purposes
  • Retain data for no more than three years
  • Destroy data upon three year anniversary

Credit Card Magnetic Stripe Data Data Description and Policy

Credit Card Magnetic Stripe data is information that is automatically read through an electronic credit card reader and includes Track I and Track II data. These two tracks contain the credit card information and the name of the individual authorized to use the card as well as some other service and issuer specific information.

The Credit Card Magnetic Stripe Data is considered confidential to the owner and authorized user and can only be used to process a financial transaction. Only pre-authorized parties are allowed to receive Magnetic Stripe data and only through authorized communication channels.

Examples

The following examples are for illustration and are considered the comprehensive set of Magnetic Stripe Data:

  • Track I Data – 56 Bytes
  • Track II Data – 35 Bytes
  • Personal Identification Number

Authorized Uses

The only authorized use for Magnetic Strip Data is to complete an automated, electronic financial transaction.

Authorized Channels for Communication

  • File Transfer Protocol
  • Private Line or VPN
  • Web Services

Controls

  • Electronic storage on magnetic media is not allowed – zero retention
  • Encrypt data when transmitted over public networks

Credit Card Transaction Data Data Description and Policy

Transaction data is collected at a point of sale and will often include items purchased, credit card information, date and time, authorization code and transaction amount.

These transaction details are confidential to the organization and can only by used for specific purposes, which are listed below. Only pre-authorized parties are allowed to receive Credit Card Transaction data and only through authorized communication channels.

Examples

The following examples are for illustration only and do not necessarily comprise a complete set of all types of Credit Card Transaction Data:

  • Authorization Code
  • Transaction Number
  • Name
  • Amount

Authorized Uses

  • To process or collect payment for products or services
  • To reconcile all financial accounting
  • To provide customer service

Authorized Channels for Communication

  • Official Electronic Mail System of the Organization
  • File Transfer Protocol
  • Web Services

Controls

  • Encrypt data when stored on magnetic media
  • Encrypt data when transmitted over public networks
  • De-identify data when used for other than authorized purposes
  • Retain data for no more than three years
  • Destroy data upon three year anniversary

Cross-posted from Israeli Software

Possibly Related Articles:
8419
PCI DSS
Information Security
Policy PCI DSS Compliance Data Classification Data Loss Prevention Confidentiality Network Security Credit Cards Personally Identifiable Information PII Merchants control Danny Lieberman
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.