The URL can be used to link to this page

20-30 - 05-05 - Approve Payment Card Industry PolicyRESOLUTION NO. 20-30 RESOLUTION APPROVING THE PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY WHEREAS, the Employees of the City of Golden Valley may accept credit cards as a form of payment, and WHEREAS, the Employees of the City of Golden Valley shall abide by the requirements of the policy. NOW, THEREFORE, BE IT RESOLVED that the City Council adopt the Payment Card Industry Compliance Policy. Adopted by the City Council of Golden Valley, Minnesota this 5th day of May, 2020. ____________________________ Gillian Rosenquist, Acting Mayor ATTEST: _______________________ Kristine A. Luedke, City Clerk Page 1 of 11 Golden Valley PCI Compliance for Staff City of Golden Valley PCI Compliance Policy for Staff Section 1. Introduction This PCI Compliance Policy for Staff (“Policy”) describes the City of Golden Valley’s credit card security requirements as required by the Payment Card Industry Data Security Standard (PCI DSS) Program. The city is committed to these security policies to protect information utilized by the city in attaining its business goals. All employees that utilize systems that process credit card cardholder data are required to adhere to the policies described within this document. Section 2. Confidential PCI Cardholder Data The City of Golden Valley defines confidential card holder data as the following information:  The card number printed on the front or back of the payment card.  User authorization/payment PIN (Personal Identification Number).  The full contents of any track data from the magnetic stripe (located on the back of a card, equivalent data contained on a chip on the card, or elsewhere).  The card verification code or value (three‐digit or four‐digit number printed on the front or back of a payment card). Section 3. Protecting Confidential Cardholder Data Protecting card holder data is the responsibility of all staff. This data can only be used while performing charges on an authorized city PCI compliant hardware and software. This data may not be stored electronically or on paper under any circumstance. Examples of a proper use:  Swiping the credit card on a city approved and allocated scanner.  Utilizing the PCI compliant websites: o https://webtrac.goldenvalleymn.gov (Parks & Rec) o https://www.invoicecloud.com/portal/(S(f05gnmgj2aihmjmoqwmtgmle))/2/Site2.aspx? G=3456ddb6‐c3c6‐4817‐adfb‐31a61f509f89(Utility Billing by Invoice Cloud) o https://epermits.logis.org/home.aspx?city=gv (ePermits) o https://secure.east.prophetservices.com/BrookviewGCv3 (Golf ClubProphet)  Utilizing the PCI regulated software and hardware at: o DMV o Brookview Golf Course o Parks & Recreation RecTrac o Public Works o City Hall  Taking credit card information over the phone pursuant to section 6 of this Policy. Examples of unapproved use:  Entering card holder data into non‐POS software such as: Email, instant messaging, Excel, and Word.  Writing down card holder data. If staff receives unsolicited paper copies of card holder data (faxes, registration forms, incoming mail, etc.), these documents must be processed and then destroyed immediately by placing them in the Page 2 of 11 Golden Valley PCI Compliance for Staff locked shred box. If card holder data was sent in an email the email should not be forwarded, but rather permanently deleted. Paper copies of card holder data can also be shredded utilizing a cross‐cut shredder. Staff may not encourage or ask customers to send credit card information in an unapproved manner, and shall notify senders that they are putting their credit card information at risk if they do. At no time should these security policies and procedures be bypassed, subjecting the card holder data to compromise. Section 4. PCI hardware (scanners/computers) PCI hardware means scanners, computers and other hardware authorized by the City’s IT Department to process credit card transactions. The City has dedicated PCI hardware in all locations that have been approved to take credit card charges. The following requirements apply to the PCI hardware located in the city facilities:  PCI approved computers/scanners will be labeled by the city as such.  Employees may only utilize PCI hardware that has been setup and configured for the express purpose of entering card holder data to perform charging transactions.  Any changes to PCI hardware must be submitted to the IT Department where they will be reviewed for PCI compliance. No user changes are allowed to this equipment.  Only authorized staff is allowed to utilize the PCI hardware. Employees must verify the identity of unknown individuals that need to access the PCI hardware and verify with IT before allowing access to the hardware.  PCI hardware may only allowed to be used for the express purpose of charging transactions.  Staff should perform a physical inspection of all PCI hardware at the beginning of their shift to see if any alterations have been made.  PCI hardware must be monitored or maintained in a physically secure location which would be protected from access outside of business hours by unauthorized personnel. In no case should PCI hardware be taken offsite without express approval by the IT Coordinator or the Finance Director. Section 5. Protected Media Policy Media is defined, but not limited to: hard drives, flash drives, removable storage drives, CD’s, DVD’s backup tapes, paper, reports, and faxes. Protected media is media that contains sensitive, confidential or PCI cardholder data. The proper storage of protected data is essential to preventing breaches. City staff shall handle media in a way that ensures that protected media is kept secure when not in use by storing it in a locked cabinet, locked room or safe. If Employees store any type of cardholder data, and backups are being performed of this data, it must be done in a PCI compliant manner. Once the protected electronic media is no longer needed, it must be turned in to IT Staff so that they can securely store, or sanitize it according to NIST Special Publication 800‐88 on Guidelines for Media Sanitation. Page 3 of 11 Golden Valley PCI Compliance for Staff The handling and usage of any protected media is limited to only those staff members that need access to media for legitimate business purposes. If any protected media needs to be moved from a secure area to an external location for any reason, the staff member moving the media must obtain management approval, and maintain an inventory and log where it is being moved to. Section 6. Taking Credit Cards over the Phone: Credit Card information may be obtained over the phone from customers and citizens only under specific circumstances as determined by the Finance Director. The Finance Director shall prepare a list of all such approved circumstances, which list shall be filed with the City Clerk. When taking credit cards over the phone, staff shall follow the following policies and procedures:  Credit card numbers obtained over the phone shall be directly inputted into the Point of Sale (POS) terminal/software. Employees must walk over to the terminal with the telephone and enter the information as the customer speaks it.  The employee may never speak the credit card information out loud. Employees will have the customer repeat any part of the number or information if necessary.  Employees may never use speakerphone when taking credit card information over the phone.  Employees may never write credit card information down on paper or input such information electronically into a system other than the POS software. Section 7. Reporting All employees who suspect suspicious behavior around the PCI hardware or suspect the PCI hardware have been modified or card holder data has been lost or compromised must immediately report this to the following staff:  IT Department  Finance Director This will immediately begin an incident response procedure where appropriate action will be taken and is listed as an addendum. Staff should follow the Incident Response Guideline Template in the attached Addendum A. Section 8. Failure to Comply with Policy Failure to adhere to the policy and its practices can submit staff to disciplinary action, up to and including termination. Page 4 of 11 Golden Valley PCI Compliance for Staff City Golden Valley Information Security Incident Response Plan Addendum Purpose: This plan is to serve as guidance in the handling of a potential information security incident at the City. A formal incident response plan is an industry best practice and is required for PCI and CJIS compliance. Other incident responses for events such as fire, severe weather, and bomb threats are contained in the City’s Emergency Management Plan. Roles: The City Security Policy requires all personnel to report suspected breaches of City security. These potential security incidents must be immediately reported to the City IT Coordinator or your appropriate Manager for investigation. Communication: Internal communication should be limited to appropriate staff during the incident to not compromise the investigation. Communication with outside entities regarding the incident must be approved by City Management, with the exception of 911 for immediate danger to lives. Incident Response Procedure: City Incident Response adopts a high‐level process similar to SANS guidelines and NIST 800‐61: Prepare (already done), Identify (verify it is a security incident), Contain (remove device from the network & backup), Eradicate / Recover (remove malware or restore from system backup and prevent re‐occurrence), and Lessons Learned (improve future responses or security). These processes are detailed in the template below. Page 5 of 11 Golden Valley PCI Compliance for Staff City of Golden Valley PCI Compliance Policy for Staff Acknowledgement Form Golden Valley PCI Compliancy Policy applies to all employees and other authorized persons who handle credit card information. I acknowledge that I have received a copy of the Golden Valley PCI Compliancy Policy for Staff, and that it is my responsibility to read and comply with the policies contained in the document as well as any revisions made to it in the future. EMPLOYEE/CONTRACTOR NAME (Printed): __________________________________________ EMPLOYEE/CONTRACTOR SIGNATURE: _______________________________________________ DATE ACKNOWLEDGED: ____________________________ Page 6 of 11 Golden Valley PCI Compliance for Staff ADDENDUM A: Incident Response Guideline Template Start Date: Description of Incident: Step 1: Identify Overview: This process must be followed in the event that staff suspects a security incident has occurred and is used to notify and identify the type of incident that occurred. # Step Handler Date Time Actions Taken 1 If there is immediate danger to lives, dial 911 and then notify the City IT Coordinator, or your immediate Manager who will notify the IT Coordinator. 2 The IT Coordinator will assign staff to assess the potential security incident* and determine if it is a security incident or if it is an unrelated event such as user error. 3 If the report was not a security incident, no further work is needed, otherwise document the results of the investigation in a help desk ticket assigned to the IT Coordinator. 4 The IT Coordinator will communicate with the appropriate City staff that an investigation is being conducted.  Note that some security devices produce a large number of suspicious event alerts, in which case it may be prudent for the incident handler to recommend the device be further tuned instead and only proceed if there is a reasonable likelihood of an incident. Page 7 of 11 Golden Valley PCI Compliance for Staff Step 2: Contain Overview: Remove device from network, communicate outside, and backup # Step Handler Date Time Actions Taken 1 The IT Coordinator will assign the appropriate staff to perform containment of the security event 2 The assigned staff will disconnect the compromised device/s from the City network. 3 If Credit Card (PCI) data was likely compromised, the system affected must not be powered down per PCI Payment Brand procedures (referenced in appendix). 4 Research how the incident occurred and perform the following steps to further contain it: .A Make appropriate firewall/access list changes to restrict the ability for the threat to further compromise the systems. .B Any passwords that were potentially compromised should be changed as appropriate. 5 Outside notification should be reviewed by Management consulting with HR and Legal, as listed below and detailed in the Appendix. .A If Credit Card (PCI) data was likely compromised, no further action should be taken on the system until the Credit Card brands listed in the appendix and the US Secret Service have been notified by Management, and we have been given further instructions from the Credit Card brands (e.g. Visa, MC) listed in the appendix. .B If BCA data was likely compromised, Management should contact the City Police LASO to notify the BCA and wait for instruction. .C If citizen data is compromised, Management should be alerted to Page 8 of 11 Golden Valley PCI Compliance for Staff handle communication with the citizens as appropriate. .D If LOGIS security was breached, Management should notify LOGIS. 6 Back up the data for evidence by swapping out a mirrored drive or running a backup on the device if this incident is likely to result in a court case or if additional research is needed. If the incident is malware on a workstation not exposing Restricted data, a backup does not need to be done. .A Start a “chain of evidence” form detailing how the evidence was stored, who had access, how used, and when. .B Keep the evidence locked and only work with copies of the evidence. 7 If a Mobile Device is involved, and is managed by a Mobile Device Management (MDM) solution, the device shall be locked or wiped in order to protect the protected data that may be store on that device. This shall be done rapidly given the higher risk mobile devices may pose. Step 3: Eradicate / Recover Overview: Clean the system or rebuild/restore from a clean backup, prevent reoccurrence # Step Handler Date Time Actions Taken 1 Determine the root cause of incident. 2 Clean the system or rebuild/restore from backup as appropriate. 3 Apply fixes for root cause to prevent re‐occurrence. 4 Evaluate applying fix to prevent similar occurrences elsewhere if appropriate. 5 Monitor City for similar events. 6 For a major incident (e.g. web defacement, etc), Management must approve whether the Page 9 of 11 Golden Valley PCI Compliance for Staff systems go back on line. This will be determined if Management is satisfied that the root cause is determined and resolved. 7 Review and monitor systems for reoccurrence. Step 4: Lessons Learned Overview: Formally document incident and make future recommendations # Step Handler Date Time Actions Taken 1 For incidents involving restricted data (PCI, CJIS, HIPAA, HF2121), complete the reporting required by the outside entities, to be sent by Management after consulting HR/Legal. 2 For a major incident (e.g. web defacement, etc) a formal document of the incident should be written up and put in the file share which includes the following: o One to three paragraph summary with screen shot if applicable o Short background information on system / environment o Incident timeline, how discovered, steps taken by who (this template) o Future recommendations: Typically involves possible changes to improve incident handling process or harden the environment 2 For a non‐major incident put this form in the City Incident Response file share, labeled with the date and description. 3 For all malware incidents (minor and major), file CJIS Security Incident Response Form with the BCA. 4 Review future recommendations with Management to implement if appropriate. Page 10 of 11 Golden Valley PCI Compliance for Staff Appendix A: Security Incident Notification Requirements PCI (Credit Card): Note: LOGIS is a “level two service provider” Note: If required, the U.S. Secret Service Field Office in Minneapolis contact number is (612)348‐1800 VISA: http://usa.visa.com/merchants/protect‐your‐business/cisp/if‐compromised.jsp Highlights of process: remove the network cable, do not turn the device off, document actions taken. LOGIS is responsible for notifying VISA and the U.S. Secret Service. Visa Fraud Investigations and Incident Management group: (650)432‐2978. MasterCard: http://www.mastercard.com/us/merchant/pdf/SPME‐Entire_Manual_public.pdf Highlights of process: preserve forensic evidence, remove device from network, document actions taken, do not reboot system. LOGIS (MasterCard “Agent”) is responsible for notifying MasterCard. MasterCard merchant contact: (800)622‐7747. Discover Card: http://www.discovernetwork.com/fraudsecurity/databreach.html Highlights of process: removed device from network, document actions taken, preserve evidence. LOGIS is responsible for notifying Discover Network and the U.S. Secret Service. Discover merchant contact: (800)347‐3083. American Express: https://www209.americanexpress.com/merchant/services/en_US/data‐security Highlights of process: conduct a thorough forensic investigation. LOGIS is responsible for notifying American Express. American Express Enterprise Incident Response Program (EIRP) contact: (888)732‐3750. Page 11 of 11 Golden Valley PCI Compliance for Staff CJIS (Criminal Records / BCA data): http://www.fbi.gov/about‐us/cjis/cjis‐security‐policy‐resource‐center/view (section5) Note: LOGIS is an “interface agency” Highlights of the process: leave the system powered on, preserve evidence. LOGIS is responsible for contacting the Member’s Police Agency Information Security Officer and the BCA. The BCA 24‐hour Operations Center number: 651‐793‐7000. MN State Law HF 2121/325E.61&64 (Minnesota citizen Social Security, Financial Account, or State Drivers License/ID): https://www.revisor.mn.gov/bin/bldbill.php?bill=H2121.3&s https://www.revisor.mn.gov/statutes/cite/325E.61 Highlights of the process: notifying citizens and possibly credit report organizations, exemption from requirements if the information was encrypted. HIPAA Omnibus Rule 2013 https://www.hhs.gov/hipaa/for‐professionals/security/index.html https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa‐ simplification‐201303.pdf Appendix B: Incident Response Plan Requirements PCI v3.2.1: Section 12.10.1 CJIS 5.7: Section 5.3 HIPAA Omnibus Rule 2013, 164.308(a)(6) LOGIS Members Security Policy: Page 1