INFORMATION SECURITY POLICY FOR
eCOMMERCE PAYMENT CARD APPLICATIONS

This document describes IT Services’ policies and practices for managing its secure platform for University hosted eCommerce, specifically payment card transactions, and the data related to eCommerce. This policy is intended to comply with the requirements of the Payment Card Industry Data Security Standard (“PCI DSS”). The PCI DSS is included by reference herein; however, IT Services will be the sole determinant of how PCI DSS’ requirements will be applied within IT Services operations. This document will be annually reviewed and updated as appropriate to maintain compliance with the PCI DSS.

For the purposes of this document, the eCommerce infrastructure consists of the computing resources (i.e., servers, storage, network and storage switches, firewalls, physical racks containing these, and related software) that process, transmit, or store payment card data, or can directly access such resources. Servers that are part of the eCommerce infrastructure and any systems that can otherwise directly access computing resources that contain payment cardholder data must be registered as regulated computers.

Roles and Responsibilities (cf. PCI DSS requirements 1.1.4, 12.9)

University personnel who access information resources that transmit, process, or store payment card data are responsible for the application of this and related policies. In the case of contractors who require such access, it is the responsibility of the IT Services group overseeing the contractor activity to ensure that the contractor is informed of and abides by the relevant IT policies and procedures.

IT Security

IT Security is responsible for identifying network security threats, coordinating threat response, and directing forensic analysis. IT Security maintains any firewalls, access control systems, and security event and information management systems used by IT Services to support eCommerce. IT Security will be responsible for coordinating external network scans and any penetration testing of the eCommerce infrastructure.

IT Services Data Center Systems Engineering And Administration

Systems Engineering and Administration is responsible for the installation and maintenance of the server, storage, and database platforms which support the eCommerce infrastructure as well as those used by eCommerce applications. Systems and database administrators work with the IT Security group to proactively address security threats through maintenance activities and to respond to security threats if necessary.

IT Services Data Center Operations

Data Center Operations is responsible for the physical security of the IT Services eCommerce environment, the maintenance of the data center environment and power, and the coordination of routine “production” processes within the IT Services Data Center.

IT Services Data Networking

Data Networking is responsible for the management of the network media layers of the eCommerce infrastructure, including the physical network components and functions such as network switching and routing. Firewalls at appropriate network perimeter locations are maintained by this team in partnership with IT Security.

IT Services Desktop Support

The Desktop Support Group is responsible for the installation, maintenance, and security configuration of many workstations used by eCommerce application staff. In the event of a security incident involving these workstations, Desktop Support will work with IT Security to conduct forensic analysis of the event and to mitigate the threat if workstations they support may be involved, and any suspected security incidents related to these devices must be reported to the Information Security team at security@uchicago.edu. An incident response plan will be initiated to verify any threats.

Workstations not supported by Desktop Support must meet the standards of the PCI DSS and IT Services reserves the right to determine the suitability of such workstations to support applications operating with the IT Services eCommerce infrastructure.

IT Services Enterprise Applications & Systems

For the applications it supports (support can include software design, development, testing, move to production, production problem trouble-shooting, and other support, as well as technical and other interaction with outside service providers such as application vendors and ASPs), Enterprise Systems & Applications is also responsible for coordinating communication and interaction among the University business client(s), any application vendor(s), contractors, or ASPs involved, and other IT Services groups to ensure a sufficient understanding of the business purpose, intended use(s), and structure of the application(s) for a secure implementation and operation.

IT Services Web Systems Administration

IT Services Web Systems Administration is responsible for the secure configuration and management of all web servers within the eCommerce infrastructure. This includes obtaining, installing, and managing certificates used by web servers for encryption. Web Systems Administration works with the System Engineering and Administration, Database, and IT Security groups to proactively address security threats through maintenance activities and to respond to security threats if necessary.

System and Data Owners

System and data owners working with IT Services are responsible for the application of this and related policies to the systems, data, and other information resources under their care or control.

Access Control (cf. PCI DSS requirements 7 & 8)

Access to payment card customer information is restricted to those who have a need to know such information for business purposes. Access must be granted to individuals, not to roles, and all access must be able to be tracked by an element of identity that is unique to an individual. Access privileges must be revoked as soon as reasonably possible after a change in responsibilities or employment status of an individual warrants.

Cardholder Data Retention and Disposal (cf. PCI DSS requirements 3.1 & 3.2)

Neither payment card numbers nor data items prohibited from storage by the PCI DSS will be stored on University systems for any longer than necessary to complete the immediate transaction for which the data has been obtained. This prohibition includes storing such data in databases, log files, audit trails, backups, etc. (cf. University Financial Policy #1510)

Cardholder information will only be stored on systems as long as a significant business or legal requirement exists for retaining such information. Processes will be established for each eCommerce application to periodically remove customer information which is no longer relevant to the business process for which it was acquired. Such “stale” data normally should not remain on a system for more than one month after the requirement for its existence no longer pertains.

Policy Dissemination (CF PCI DSS Requirement 12.1)

All University personnel with responsibilities that require, or could reasonably require, them to access eCommerce computing resources or data in support of the eCommerce infrastructure or eCommerce applications are required to annually review this policy and indicate their compliance with it.

Category: Security
Expiration Date: September 21st, 2022
Policy Owner: Office of the Chief Information Security Officer