Standards & Guidelines - Credit Card Processing
Organizational Standards
The Visa USA Cardholder Information Security Program (CISP) defines a standard of due care and enforcement for protecting sensitive information associated with credit cards. Currently, it applies to e-commerce merchants allowing online Visa transactions, which would include some colleges and universities. Among other things, CISP specifies the "Digital Dozen," a list of 12 basic security requirements with which all Visa payment system constituents need comply (e.g., requiring a firewall to protect data, encryption of data sent across public networks, and use of regularly updated anti-virus software).
The CISP Requirements (Digital Dozen)
- Install and maintain a working firewall to protect data.
- Keep security patches up-to-date.
- Protect stored data.
- Encrypt data sent across public networks.
- Use and regularly update anti-virus software.
- Restrict access by "need to know."
- Assign unique ID to each person with computer access.
- Don't use vendor-supplied defaults for passwords and security parameters.
- Track all access to data by unique ID.
- Regularly test security systems and processes.
- Implement and maintain an information security policy.
- Restrict physical access to data.
E-merchants falling into the "high volume transaction" category (unlikely for institutions of higher education) require an annual on-site review. But even without the mandated annual review, the Digital Dozen can be used as a security checklist to be compared against an institution's security policies. In some cases, specific technologies or techniques may reasonably be argued to provide equal or better protection than what Visa requires.
The UC Office of Information Security will be glad to schedule a Security Posture Assessment based upon the CISP standards upon request.
|
|
|
