/policies/,/policies/administrative/,/policies/administrative/uwhc/,/policies/administrative/uwhc/department-specific/,/policies/administrative/uwhc/department-specific/information-services/,

/policies/administrative/uwhc/department-specific/information-services/se-pol-004.policy

201606166

page

100

UWHC,UWMF,

Policies,Administrative,UWHC,Department Specific,Information Services

Credit Card Security (SE-POL-004)

Credit Card Security (SE-POL-004) - Policies, Administrative, UWHC, Department Specific, Information Services

SE-POL-004


Administrative Departmental Policy
This department-specific policy applies to the operations and staff of the Information Services
Department of the University of Wisconsin Hospitals and Clinics Authority as integrated effective July 1,
2015.

Policy Title: UW Health IS Credit Card Security
Policy Number: SE-POL-004
Effective Date: 4/20/16
Chapter: NA
Version: Revision

I. PURPOSE
This policy provides an overview of the ways in which UW Health protects credit cardholder data
in accordance with the Payment Card Industry Data Security Standard (PCI-DSS) [12.1].


II. DEFINITIONS (optional)
NA


III. POLICY ELEMENTS
UW Health maintains policies and procedures to address PCI-DSS compliance requirements as
defined in the Self-Assessment Questionnaire (SAQ) C [12.1.1, 12.1.2, 12.1.3]. All card
processing activities and related technologies employed within the UW Health environment must
comply with PCI-DSS SAQ-C requirements.

Daily operational security procedures consistent with PCI-DSS requirements are outlined in the
UW Health Credit Card Payment Policy [12.2]. That policy prohibits sending unencrypted PANs
by end-user messaging technologies. Examples of end-user technologies include email, instant
messaging and chat [4.2]; prohibits the storing of PCI-DSS defined credit card data in an
electronic format on any computer, server or database including Excel spreadsheets, and classifies
it as sensitive data [9.6.1, 9.7];prohibits emailing of credit card information; specifies the
procedures to maintain strict control over the internal and external distribution of sensitive
cardholder data [9.9]; and proper handling of hard copy materials containing confidential or
sensitive information (e.g., paper receipts, paper reports, faxes, etc.) [9.6] and the logs on which
they are tracked [9.7].

Based upon this policy, the UW Health Credit Card Payment Policy, utilization of encrypted pin
pad devices, and the use of redirects to third-party vendors for web based credit card processing, a
number of the PCI Compliance requirements may no longer apply.

UW Health Network equipment is installed and managed according to the Network Equipment
Management policy and procedure, following the Change Review and Management policy and
procedure [12.3.6]. Quarterly testing will be conducted to ensure there are no unauthorized

wireless access points present in the cardholder data environment[11.1]. In addition, at least
quarterly, and after any significant changes in the network, UW Health will perform vulnerability
scanning on all in-scope systems [11.2]. UW Health utilizes firewall and router configurations to
restrict connections between untrusted networks and cardholder data system components, and
restricts connections and traffic, both inbound and outbound, to the cardholder data environment
to that which is necessary [1.2, 1.2.1]. Perimeter firewalls exist between the wireless network and
the cardholder data environment. These firewalls are configured to deny or control any traffic
from the wireless environment into the cardholder data environment [1.2.3].

UW Health has established a PCI specific DMZ, which prohibits direct public access between the
Internet and any system component in the cardholder data environment [1.3]. It does not allow
any direct connections inbound or outbound for traffic between the Internet and the cardholder
data environment [1.3.3], nor does it allow unauthorized outbound traffic from the cardholder
data environment to the Internet [1.3.5]. Only permitted authorized connections are allowed into
the network via firewall dynamic packet filtering [1.3.6].

Use of vendor default passwords on any system is not allowed [2.1], and systems must be
maintained in accordance with the UW Health System Maintenance and Management policy and
procedure, and the System Wide Malware and Anti-Virus policy and procedure [5.1, 5.1.1, 5.2].
Log retention for the corporate anti-virus solution will be set to 365 days. At least three months
of logs must always be immediately available inline, while the remaining nine months can be
stored offline [10.7].

UW Health uses strong cryptography and security protocols (for example, SSL/TLS, IPSEC,
SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks
[4.1].

UW Health will encrypt all non-console administrative access using strong cryptography
technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console
administrative access. [2.3].

The payment navigator environment consists of PIN PAD devices and application with no
administrative access to encrypted PIN PAD devices. Two-factor authentication for all other
administrative access will be completed as part of an on-going FY15 – FY16 project.[8.3].

UW Health has a System Maintenance and Management policy and procedure to document the
established process of identifying and assigning risk ranking to newly discovered security
vulnerabilities [6.1, 6.2].

Access to UW Health’s cardholder data is limited to only those individuals whose job requires
such access, and is limited to that which is required to perform their job function or role [7.1].
Access to cardholder data requires management authorization.

All accounts used by vendors for remote maintenance shall be enabled only during the time
period needed. At all other times these accounts must be disabled [8.5.6, 12.3.9].

UW Health annually performs a risk assessment to identify information security threats and
vulnerabilities. The UW Health IS Policy and Procedure Development Policy and Procedure
requires annual review of all IS Policies and Procedures to reflect changes to business objectives
and/or the risk environment.


Oversight responsibility for information security is assigned to the UW Health Information
Services Security Officer, who shall ensure:
1. Security policies are established, documented, and distributed [12.5].
2. Security alerts and information are monitored, analyzed, and distributed to appropriate
personnel [12.5.2].
3. Security incident response and escalation procedures are established, documented, and
distributed in accordance with the UW Health Incident Response policy and procedure to
ensure timely and effective handling of all situations [12.5.3].
4. User accounts are administered appropriately, to include additions, deletions, and
modifications.
5. Access to data is monitored and controlled.
6. Ensures annual Compliance and Security training is conducted and tracked [12.6].

Point of sale systems will be segmented from the rest of the UW Health network, and third party
payment processors are utilized to prevent UW Health from holding or sharing cardholder
information [12.8]. UW Health’s Vendor Agreements related to credit card acceptance require
that all vendors be PCI-DSS compliant [12.4].

UW Health does not allow the use of employee-facing technologies to store, process or otherwise
handle cardholder data. Employee-facing technologies include remote-access technologies,
wireless technologies, removable electronic media, laptops, personal data/digital assistants
(PDAs), email, and internet usage [12.3]. All technology use must be authorized by the
individual’s Supervisor or higher level of management [12.3.1]. All technology used for payment
card processing will require an individual to have a unique ID and password authentication for
use [12.3.2]. A list of all such devices and personnel with access will be maintained [12.3.3].
Refer to the reference policies for acceptable uses of the technology [12.3.5], and acceptable
network locations for the technologies [12.3.6]. Remote-access technologies are set with pre-
defined session timeouts and disconnects after a period of inactivity [12.3.8]. Activation of
remote-access technologies to the cardholder data environment (CDE) for vendors and business
partners is done only when needed by vendors and business partners, with immediate deactivation
after use [12.3.9].UW Health has implemented a formal compliance and security awareness
program to train and educate all personnel on the importance of maintaining cardholder data
security [12.6]. The compliance and security awareness program:
1. Educates personnel upon hire.
2. Requires personnel to acknowledge at least annually that they have read and understood
all policies and procedures to include the security policy.
3. Requires personnel to complete annual compliance and security training

UW Health performs background checks of all personnel prior to hire, in order to minimize the
risk of compromising cardholder information by internal sources [12.7]. Background checks
include:
• Prior employment history
• Criminal record
• Reference checks

UW Health has implemented a UW Health IS Computer Security Incident Response Policy and
Procedure, and a UW Health IS Incident Review Policy and Procedure to ensure immediate
response and follow up to any breach of sensitive data, to include cardholder information [12.9].

The Purchasing Department and the Legal Services Department will not process any equipment
or purchased service agreement without UW Health IS sign-off [12.8.3]. IS will ensure that all

contracts with credit card service related providers include an acknowledgement that the service
providers are responsible for the security of cardholder data in their possession on behalf of UW
Health [12.8.2], and IS will review their PCI DSS compliance status on an annual basis [12.8.4].


IV. PROCEDURE
The following procedures support this policy:
UW Health System Maintenance and Management Procedure
UW Health IS Computer Security Incident Response Procedure
UW Health IS Incident Review Procedure
UW Health Wireless Security and Access Policy
System Wide Malware and Anti-Virus Procedure
UW Health Authentication and Password Policy
UW Health IS Policy and Procedure Development Procedure
Change Review and Management Procedure
Network Equipment Management Procedure


V. FORMS (optional)
NA


VI. REFERENCES (optional)
UW Health System Maintenance and Management Policy
UW Health IS Computer Security Incident Response Policy
UW Health IS Incident Review Policy
UW Health Wireless Security and Access Policy
Use of Internet Technology via Hospital Resources
Workstation Acceptable Use and Security Management
System Wide Malware and Anti-Virus Policy
The Minimum Necessary Rule
UW Health Access to Electronic Information Systems
UW Health Authentication and Password Policy
Remote Access to Electronic Information Systems
UW Health IS Policy and Procedure Development Policy
Change Review and Management Policy
Network Equipment Management Policy


VII. COORDINATION

Sr. Management Sponsor: UW Health IS CTO
Author: UW Health IS Director – Systems Security
Reviewer(s): UW Health IS Directors, UWHC Internal Auditor

Approval Committee: UW Health IS Directors

SIGNED BY:
UW Health CIO


Revision Detail:

Effective Date Next Review Summary of Changes Change Authors
4/20/2016 4/20/2017 Annual review/revision. E. Gerke, E. Bakkum
12/29/2014 12/29/2015 Original release. E. Gerke, J. Leonard