Maine State Government
Dept. of Administrative
& Financial Services
Office of Information
In order for State of Maine customers to conduct electronic financial transactions with state departments, customers
must be assured information provided to state agencies is handled in a safe and
secure manner. The State of Maine Office of the State Treasurer has issued
Credit Card Information Security Policy and Guidelines. The responsibility for adhering
to the Credit Card Information Security Policy and Guidelines falls to
employees, contractors, consultants, temporaries, and other workers.
The purpose of this policy is
to assure that OIT employees, contractors, consultants, and temporaries handling
cardholder data adhere to the guidelines and procedures detailed in the Office
of the Treasurerís Credit Card Information Security Policy and Guidelines.
III. Guidelines & Procedures
The Office of
the Treasurer has outlined the following guidelines to be followed in regard to
handling cardholder information.
A. Cardholder Data
1. The Primary Account Number (PAN) must NOT
be stored on any system, personal computer or email account.† (Should your
department have a legal or regulatory requirement to store the PAN, permission
may be granted only after a written request has been reviewed and approved by
the Office of the State Treasurer. Additional restrictions will apply)†
2. Under no circumstances should the card verification
code or value or PIN number or value be stored.
3. Do not store the full contents of any track from the
4. Mask PAN when displayed (the first six and last four
digits are the maximum number of digits to be displayed)
5. Keep all other cardholder data storage to a minimum.†
Develop and document a data retention and disposal policy.† Limit storage
amount and retention time to that which is required for business, legal, and or
regulatory purposes, as documented in retention policy.†† Cross cut shred,
incinerate, purge, degauss, or shred any hardcopy or electronic media when it
no longer qualifies for storage under the retention policy.
B. System Requirements
1. Install and maintain a firewall configuration capable
of protecting cardholder data.
2. Encrypt transmission of cardholder data across open,
public networks, including wireless networks.
3. Use and regularly update anti-virus software or
programs. Ensure that all anti-virus mechanisms are current, actively running,
and capable of generating audit logs.
4. Develop and maintain secure systems and applications.†
All systems must have the most recently released, appropriate vendor provided
security patches.† Establish a process to identify newly discovered security
5. Track and monitor all access to network resources and
cardholder data.† Regularly test security systems and processes.
C. Access Control
1. Limit access to computing resources and cardholder
information only to those individuals whose job requires such access.
2. Identify all users with a unique user name before
allowing them to access system components or cardholder data. Authentication
must be used in the form on one or more of the following methods: Password,
Token Devices (SecureID, Public Key), and Biometrics.
3. Ensure proper user authentication and password
management. This includes: Modifications of user IDs, addition, deletion,
removal of inactive accounts, immediate revocation of terminated users,
password lockout, inactivity logout, authentication of all access to any
database containing cardholder data.
4. Physically secure all paper and electronic media
(including computers, networking and communications hardware, paper receipts,
reports, and faxes) that contain cardholder data.
5. Use appropriate facility entry
controls to limit and monitor physical access to systems that store, process or
transmit cardholder data.
D. Security Policy
1. Develop and maintain department specific credit card
2. Develop usage policies for employees and contractors
containing acceptable uses of technologies.
3. Implement formal security awareness training to make
all employees aware of the importance of cardholder data security.†
4. Require employees to acknowledge in writing that they
have read and understood the departmentís security policy and procedures.
5. Create an incident response plan
to be implemented in the event of a system compromise.† Ensure the plan
addresses, at a minimum, specific incident response procedures, business
recovery and continuity† procedures, data backup processes, roles and
responsibilities, and communication and contact strategies.
E. Payment Card Industry Data Security Standards
1. The PCI DSS establishes industry standards concerning
the handling of credit card data.† In addition to compliance with the
Treasurerís Policy, departments should be thoroughly familiar and in compliance
with the PCI DSS where applicable.† The Treasurerís office will provide your
Department with the PCI DSS upon setup and before approval.
2. Departments may consider contracting with a vendor to
scan each IP connection and/or website to ensure PCI compliance.
3. Departments using only a dial terminal may contact the
Treasurerís Office for a self-assessment questionnaire.†
F. Responsibility as data handlers
1. The Office of Information Technology recognizes the
unique role OIT technologists occupy when conducting business with and for
state agencies. OIT employees are required to make any entity requesting the
handling of cardholder data aware of this policy.† Any entity requiring further
assistance with this policy should be directed to contact the Office of the
The Office of the State Treasurer must approve all credit card
processing activities in the State of Maine prior to entering into any
contracts or purchasing equipment.† This requirement applies regardless of the
transaction method.† Departments who need to process credit/debit cards should
contact the Office of the State Treasurer.
This policy applies to data
custodian agencies within the Executive Branch and semi-autonomous agencies of Maine State government, and to all their applications and data irrespective of where they
1. Semi-autonomous State Agency: An agency created by an
act of the Legislature that is not part of the conventional branches of
Government, i.e., the Executive Branch, the Legislative Branch, the Judicial
Branch, the Office of the Attorney General, the Office of the Secretary of
State, the Office of the State Treasurer, and the Audit Department.
2. PAN: Primary Account Number
3. PCI DSS: Payment Card Industry Data Security Standards are technical and operational requirements that were created to
help organizations that process card payments prevent credit card fraud,
hacking and various other security vulnerabilities and threats. The standards
apply to all organizations that store, process or transmit cardholder data Ė
with guidance for software developers and manufacturers of applications and
devices used in those transactions.
4. PIN: Personal Identification Number
Encrypt: Encryption is the
process of transforming information (referred to as plaintext) using an
algorithm (called cipher) to make it unreadable to anyone except those
possessing special knowledge, usually referred to as a key.
Token devices: Software and/or
security tokens guarantee a level of authentication factor required to conduct
electronic transactions at an agreed upon security level.
VII. Document Information
1. Document Reference Number: 39
2. Category: Security
3. Adoption Date: 05/12/2009
4. Effective Date: 05/12/2009
5. Review Date: 05/12/2012
6. Point of Contact: Security and Privacy Officer, OIT,
Kevin Jones 624-8800.
7. Approved By: Richard B. Thompson, Chief Information
Officer, State House Station #138, Augusta, ME 04333, (207) 624-7568.
8. Position Title(s) or Agency Responsible for
Enforcement: Security and Privacy Officer, OIT, Kevin Jones 624-8800.
9. Legal Citation: 5 MRSA, Chapter 163, Section 1973,
paragraphs B and D, read in part: [The Chief Information Officer shall]
"Set policies and standards for the implementation and use of information
and telecommunications technologies" and "Identify and implement
information technology best business practices and project management".