Units that are maintaining a network and system architecture used to process credit card transactions must complete a diagram or description of the PCI-related environment being used.
The diagram or description must include the following information:
To assist units in creating a compliant network infrastructure, CIT will maintain a PCI-compliant network that will satisfy many of the network-based PCI requirements. Units running systems that must be PCI-compliant will logically route those systems through this server to enable the server to enforce the necessary PCI rules upon the devices and any traffic to and from them. To connect to the security server, each unit will purchase a small virtual private networking (VPN) device that will be configured by CIT to create a private network between it and the central security server. This configuration will allow such private networks to be deployed anywhere on the Cornell campus or on the Internet. (Remote offices or traveling staff members can easily deploy the small VPN device wherever they are.) Any system, from point-of-sale systems to desktop systems to Web servers, must reside behind these VPN devices.
Each unit is required to create and maintain documentation that is specific to the unit’s network and firewall configuration, business practices and procedures, list of authorized personnel that are involved in any facet of credit card operations. This documentation must be shared with employees and updated when changes occur. Detailed documentation is a critical component of compliance and an essential tool should a breach occur.
Units connecting to CIT's Central PCI-Compliant Network must do the following:
System activity logs are critical in preventing, detecting, or minimizing the impact of a data comprise. Logs must be checked daily, at a minimum. Audit trail history must be retained for one year, with a strong recommendation that the most current quarter be readily available in the event of a compromise.