Cal Poly Pomona Foundation, Inc. (CPPF)

Cal Poly Pomona Foundation, Inc. (CPPF)

Section: INFORMATION SECURITY POLICY

Policy Number: 1115

Policy Title: Credit Card Reader Device Management

Policy Effective Date: November 1, 2015

Last Revision Date:

October 10, 2017

POLICY OBJECTIVE

The CPPF Information Security policy defines Foundation user responsibilities, including staff and third parties, with respect to the management of credit card reader devices.

POLICY STATEMENT

Introduction

This document explains the Foundation’s credit card reader device managementas required by the Payment Card Industry Data Security Standard (PCI DSS) Program. Foundation management is committed to these security policies to protect information utilized by The Foundation in attaining its business goals. All employees are required to adhere to the policies described within this document.

1.0 Scope

The PCI requirements apply to all systems that store, process, or transmit cardholder data. Currently, the Foundation’s cardholder dataflow includes third-party tokenized data via hosted processor and, under rare exception, occasional shredded paper media.Electronic storage of onsite full cardholder data is not conducted or permitted. Due to the limited nature of the in-scope environment, this document is intended to meet the PCI requirements as defined in Self-Assessment Questionnaire (SAQ) D. Should the Foundation implement additional acceptance channels, begin storing, processing, or transmitting cardholder data in electronic format, or otherwise become ineligible to validate compliance under SAQ D it will be the responsibility of the Foundation to determine the appropriate compliance criteria and implement additional policies and controls as needed.

2.0CC Reader Device Management Policies

2.1 Maintain a Device List

Foundation policy requires that a list of credit card devices be maintained. (PCI requirement 9.9a)

2.2 Periodically Inspect Devices

Foundation policy requires that these devices are periodically inspected to look for tampering or substitution. (PCI requirement 9.9b)

2.3 Train Personnel on Device Tampering

Foundation policy requires that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices. (PCI requirement 9.9c)

3.0CC Reader Device Management Procedures

1.The list of devices should include the following:(PCI requirement 9.9.1a)

a.Make, model of device.

b.Location of device (for example, the address of the site or facility where the device is located).

c.Device serial number or other method of unique identification.

2.The list should be accurate and up to date. (PCI requirement 9.9.1b)

3.The list of devices is updated when devices are added, relocated, decommissioned, etc. (PCI requirement 9.9.1c)

4.Device surfaces should be periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows:(PCI requirement 9.9.2a)

a.Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into the device, missing or changed security labels, broken or differently colored casing, or changes to the serial number or other external markings.

5.Personnel should be aware of procedures for inspecting devices. (PCI requirement 9.9.2b)

6.Training materials shouldbe provided for personnel at point-of-sale locations including the following:(PCI requirement 9.9.3a)

a.Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.

b.Do not install, replace, or return devices without verification.

c.Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).

d.Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).

7.Logs should show personnel at point-of-sale locations have received training, and are aware of procedures to detect and report attempted tampering or replacement of devices. (PCI requirement 9.9.3b)

8.The list of all such devices should include personnel with access? (PCI requirement 12.3.3)

Randall L. Townsend
Director of Information Technology
Approved: November 1, 2015

APPLICABILITY AND AREAS OF RESPONSIBILITY

REVISION HISTORY

RESOURCES AND REFERENCE MATERIALS

Useful Guidelines:

Related Principles:

Sound Business Practices:

Laws, State Codes, Regulations and Mandates: