PCI-DSS to Minimum Security Standards Mapping | ��Vlog�ٷ� Information Security

��Vlog�ٷ� Information Security

University of Hawaiʻi System

Payment Card Industry Data Security Standard

Last Updated 2024-08-12

Administrative Procedure 8.710 Credit Card Program
Foundational Principles
PCI DSS High-Level Goals and Requirements
PCI DSS 4.0 Implementation Guides by SAQ
ITS Minimum Security Standards Mapping by PCI DSS SAQ Type
Sources

Administrative Procedure 8.710 Credit Card Program

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data.

The purpose of this policy is to outline the responsibilities of departments that accept credit card payments and to provide procedures for these departments to follow.

Administrative Procedure 8.710 Credit Card Program: /policy/ap8.710

Foundational Principles

The ��Vlog�ٷ� network is an UNTRUSTED and public network:

This includes both wired and wireless IP connections.
Remember- The ��Vlog�ٷ� Network IS NOT PCI COMPLIANT.

Isolate devices used for PCI transactions from the ��Vlog�ٷ� network to minimize scope of PCI compliance

Implement a firewall or router to separate devices used for PCI transactions from the rest of the Merchant's department/campus network (Network Segmentation)

Devices used for PCI transactions should not be used for any other purposes (do not use devices for email, web browsing, or any other department uses)
Minimize the number of devices used to process PCI transactions
Minimize the number of people handling PCI transactions

PCI DSS High-Level Goals and Requirements

Goals	Requirement
Build and Maintain a Secure Network and Systems	Requirement 1: Install and Maintain Network Security Controls Requirement 2: Apply Secure Configurations to All System Components
Protect Account Data	Requirement 3: Protect Stored Account Data Requirement 4: Protect Cardholder Data and Strong Cryptography during transmission over open, public networks
Maintain a Vulnerability Management Program	Requirement 5: Protect all Systems and Networks from Malicious Software Requirement 6: Develop and maintain secure systems and software
Implement Strong Access Control Measures	Requirement 7: Restrict access to System Components and Cardholder Data by business need to know Requirement 8: Identify Users and Authenticate access to system components Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks	Requirement 10: Log and Monitor All Access to System Components and Cardholder data Requirement 11: Test security of systems and networks regularly
Maintain an Information Security Policy	Requirement 12: Support Information Security with Organizational Policies and Programs

PCI DSS 4.0 Implementation Guides by SAQ

The ��Vlog�ٷ� Information Security team have created guidance to help merchants implement the PCI DSS 4.0 requirements. These guides provide sample implementation and guidance based on SAQ.

The PCI DSS 4.0 Implementation Guides are available at the following link: /infosec/assets/minimum-standards/implementation-guides/

ITS Minimum Security Standards Mapping by PCI DSS SAQ Type

ITS has performed analysis mapping the PCI DSS 4.0 requirements against the ITS Minimum Security Standards (MSS). The table below provides a consolidated view of this analysis mapping the ITS MSS by PCI DSS SAQ type.

Please visit the specific ITS MSS device type (Endpoints, Servers, Multi-Function Devices) for any additional guidance.

The ITS MSS listed in the table below are abstracted from the Center for Internet Security's (CIS) Controls, which are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The standards listed are a selected based on its applicability to the University of Hawaiʻi.

When working with Regulated Data, please refer to the applicable Standard, Act, or Policy (e.g., CMMC, PCI DSS, HIPAA, FERPA, NIST SP800-171, etc.) for specific details on any additional controls needed.
When comparing Standards, Acts, or Policies to the ITS Minimum Security Standards, the more stringent standard takes precedence.
Standard, Act, or Policy requirements still apply when there is no equivalent ITS Minimum Security Standard.

Please note that the ITS Minimum Security Standard (MSS) mappings are designed as a starting point for implementing their respective Standard, Act, or Policy and are not an indication of compliance. Mappings are selected based on relativity and may differ in implementation based on device type.

ITS Minimum Security Standards Mapping by PCI DSS 4.0 SAQ Type
#	Standards	PCI DSS 4.0 Controls Mapping by SAQ Type
1.0	Automatic Updates / Patching	SAQ A	SAQ B-IP	SAQ C	SAQ C-VT	SAQ P2PE
1.1	Enable automatic updates for operating systems and software if possible.	6.3.3	6.3.3	6.3.3	6.3.3
1.2	Install standard operating system and software security patches on a monthly basis for servers and networking devices.	6.3.3	6.3.3	6.3.3	6.3.3
1.3	Ensure email clients and web browsers are actively receiving security updates.	6.3.3	6.3.3	6.3.3	6.3.3
2.0	Firewall Configuration	SAQ A	SAQ B-IP	SAQ C	SAQ C-VT	SAQ P2PE
2.1	Configure and manage a host based firewall or a network firewall device with a default deny-all policy. Only necessary services should be allowed through the firewall.		1.3.1 1.3.2	1.3.1 1.3.2	1.3.1 1.3.2
3.0	Password Security	SAQ A	SAQ B-IP	SAQ C	SAQ C-VT	SAQ P2PE
3.1	Ensure that all devices have strong and unique password protected individual logins for all local and remote accounts.	2.2.2 8.3.1 8.3.6	2.2.2 2.3.1	2.2.2 2.3.1 8.3.1 8.3.6	2.2.2 2.3.1 8.3.1 8.3.6
3.2	Ensure that all web applications have strong and unique password protected individual logins for administrative accounts.	8.3.1 8.3.6		8.3.1 8.3.6	8.3.1 8.3.6
4.0	Data Management	SAQ A	SAQ B-IP	SAQ C	SAQ C-VT	SAQ P2PE
4.1	Utilize the University’s records management process for .	3.2.1				3.2.1
4.2	Securely dispose of Institutional Data following our Disposal Guidelines.	9.4.6	9.4.6	9.4.6	9.4.6	9.4.6
4.3	Use Spirion to scan for sensitive and regulated information on a monthly basis.
5.0	Encryption	SAQ A	SAQ B-IP	SAQ C	SAQ C-VT	SAQ P2PE
5.1	Ensure that data is encrypted with a secure encryption algorithm while in transit.			4.2.1 8.3.2
5.2	Ensure that files containing Sensitive and Regulated data stored on servers, applications, databases, and removable media are encrypted or stored in an encrypted file container such as Veracrypt.
5.3	Utilize ��Vlog�ٷ� Enterprise Dropbox to store Sensitive and Regulated data online.
6.0	Asset Management	SAQ A	SAQ B-IP	SAQ C	SAQ C-VT	SAQ P2PE
6.1	Complete the Annual Device Registration.
6.2	Maintain an updated inventory of all software and hardware assets.		9.5.1	9.5.1 11.2.2		9.5.1
6.3	Ensure that hardware and software assets are actively receiving security updates.
6.4	Review asset lists on a monthly basis. Remove or replace unauthorized and end-of-life assets if possible.		9.5.1	9.5.1 11.2.2		9.5.1
7.0	Data Inventory	SAQ A	SAQ B-IP	SAQ C	SAQ C-VT	SAQ P2PE
7.1	Complete the annual Personal Information Survey (PIS).
8.0	Removable Media	SAQ A	SAQ B-IP	SAQ C	SAQ C-VT	SAQ P2PE
8.1	Disable autorun / autoplay for removable media.
9.0	Malware Protection	SAQ A	SAQ B-IP	SAQ C	SAQ C-VT	SAQ P2PE
9.1	Install and enable an anti-malware solution.			5.2.1	5.2.1
9.2	Ensure automatic anti-malware signature updates are enabled.			5.2.2 5.3.1 5.3.2	5.2.2 5.3.1 5.3.2
9.3	Enable anti-exploitation features.
10.0	Session Locking / Session Timeout	SAQ A	SAQ B-IP	SAQ C	SAQ C-VT	SAQ P2PE
10.1	Configure a maximum 15 minute session timeout for system access and remote access protocols (SSH, RDP, etc.)			8.2.8
11.0	Backups	SAQ A	SAQ B-IP	SAQ C	SAQ C-VT	SAQ P2PE
11.1	Maintain an offline, off-site, or cloud-based backup instance.	9.4.1.1	9.4.1.1	9.4.1.1	9.4.1.1	9.4.1.1
11.2	Ensure backups are encrypted.
11.3	Perform automatic backups of systems on at least a weekly basis.
12.0	Multi-Factor Authentication (MFA)	SAQ A	SAQ B-IP	SAQ C	SAQ C-VT	SAQ P2PE
12.1	Enable multi-factor authentication to access externally-exposed applications, remote network access, and administrative access where possible.	8.2	8.3 8.3.1 8.3.2	8.2 8.3 8.3.1 8.3.2	8.2 8.3 8.3.1
12.2	Utilize ��Vlog�ٷ� login for application and web app logins.	8.2	8.3 8.3.1 8.3.2	8.2 8.3 8.3.1 8.3.2	8.2 8.3 8.3.1
13.0	Centralized Logging	SAQ A	SAQ B-IP	SAQ C	SAQ C-VT	SAQ P2PE
13.1	Deploy a centralized log management system for servers and aggregate logs.
13.2	Retain centralized logs for at least 90 days. Adequate log storage must be accounted for.			10.7
13.3	Review centralized audit logs on a weekly basis.			10.6 10.6.1 10.6.2
14.0	Secure Access	SAQ A	SAQ B-IP	SAQ C	SAQ C-VT	SAQ P2PE
14.1	Access applications and manage software over a secure encrypted connection (SSH, HTTPS, etc.).
14.2	Limit access to MFDs and IoT devices by authorized IPs if possible.
15.0	Secure Configuration	SAQ A	SAQ B-IP	SAQ C	SAQ C-VT	SAQ P2PE
15.1	Ensure that servers and network devices are configured following industry security best practices. CIS Configuration Guides are recommended. Configuration scripts are available upon request.		2.1.1	2.1 2.1.1	2.1.1
15.2	Uninstall or disable unnecessary and unused services on servers and network devices.			2.2.2 2.2.5	2.2.2
16.0	Event Logging	SAQ A	SAQ B-IP	SAQ C	SAQ C-VT	SAQ P2PE
16.1	Enable logging of system, security, and application events.			10.2.2 10.2.4 10.2.5 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6
16.2	Retain logs for at least 90 days. Adequate log storage must be accounted for.			10.7
16.3	Review audit logs on a weekly basis.			10.6 10.6.1 10.6.2
17.0	Network Security	SAQ A	SAQ B-IP	SAQ C	SAQ C-VT	SAQ P2PE
17.1	Utilize network segmentation to address least privilege by isolating personal, untrusted, and IoT devices from critical services.		1.2	1.2	1.2
17.2	Maintain network diagrams.		1.2.3
17.3	Utilize Wi-Fi Protected Access 2 (WPA2) with AES-128 or greater and a strong password for wireless networks.		2.1.1 4.1.1	2.1.1 4.1.1	2.1.1 4.1.1
18.0	Access Control	SAQ A	SAQ B-IP	SAQ C	SAQ C-VT	SAQ P2PE
18.1	Maintain an updated access control list of user roles, accounts and permissions for local/remote file systems, databases, and applications.		7.1.3	7.1.3	7.1.3	7.1.3
18.2	Grant access and apply access privileges to systems and services on a need to know basis.		7.1 7.1.2 7.1.3	7.1 7.1.2 7.1.3	7.1 7.1.2 7.1.3	7.1 7.1.2 7.1.3
18.3	Revoke privileges to systems and services upon employee termination, rights revocation, or role change.	8.2.5 8.3.1			8.2.5	8.1.3
19.0	Account Management	SAQ A	SAQ B-IP	SAQ C	SAQ C-VT	SAQ P2PE
19.1	Restrict administrator privileges to individually dedicated administrator accounts.		7.1.2	7.1.2	7.1.2	7.1.2
19.2	Remove dormant accounts (45 days of inactivity).
19.3	Disable default system and software accounts or make them unusable.	2.1	2.1	2.1	2.1
19.4	Review account privileges and permissions quarterly.
20.0	Vulnerability Scanning	SAQ A	SAQ B-IP	SAQ C	SAQ C-VT	SAQ P2PE
20.1	��Vlog�ٷ� Vulnerability Scan Site Perform vulnerability scans using or Nessus Agents on a monthly basis.		6.1	6.1 11.2	6.1
20.2	Remediate all High and Critical severity vulnerabilities within 7 days.

Sources:

PCI DSS 4.0 Requirements:
PCI DSS SAQ A:
PCI DSS SAQ B-IP:
PCI DSS SAQ C:
PCI DSS SAQ C-VT:
PCI DSS SAQ P2PE:

����Vlog�ٷ�

����Vlog�ٷ� Information Security