Payment Card Industry (PCI) Data Security Standard (DSS)
All CITGO locations transmitting on the CITGO Payment Card Network must have:
- POS software and hardware components that meet the most current PCI PA-DSS (Payment
Application Data Security Standards) or PCI SSF (Software Security Framework)
- Policies and procedures in place to pass current PCI DSS for merchants
- Installation and current use of a PCI DSS compliant firewall/MNSP device and service from a
CITGO-authorized firewall service provider as listed in MarketNet
- Segment cardholder data and sensitive data from other systems - including the main office or
remote access to the POS and/or fuel dispensers
- Logging and tracking of all internet traffic connected to POS equipment and using the same
internet connection as the POS. Consider enhanced or “smart” logging to identify threats to
multiple systems from multiple sources. Contact your firewall provider for more details
- Protect corporate data as if it was payment card data to avoid a security attack and
paying ransomware in digital currency to decrypt your files. Enable Multi-Factor
Authentication (MFA)
- Physically secure all devices and hide access to plugs/ports with payment card
information to avoid physical attacks through POS and PIN Pad fraudulent overlays
and skimmers
- Use strong passwords and change system default passwords in the POS, PIN Pads,
Fuel/Site Controller, Electronic Payment Server, Fuel Dispensers, etc.
- Only use/allow remote access when absolutely needed and require multi-factor
authentication for access. Disable when not in use.
- Passing quarterly external scans by a PCI Authorized Scanning Vendor (ASV)
- PIN Pads that meet current PCI PTS (Payment Card Industry PIN Transaction Security)
requirements as indicated in the POS Approved Systems matrix in MarketNet. All inside PIN
Pads must accept PIN debit cards and be Contactless capable for EMV contactless (tap & pay)
transactions.
- Monthly tracking of all equipment, by serial number, that contains cardholder data to ensure
equipment has not been compromised (e.g., PIN Pads, POS, Electronic Payment Server (Gilbarco
EDH, NCR EPC5), Fuel Controller, etc.)
- Monthly tracking of anti-virus software to ensure it is in place and set up for proper
monitoring and mitigation of viruses and malware on all systems, including back office PC's,
tank monitoring, etc.