University Policies

Page tree

Versions Compared

Old Version 15

changes.mady.by.user Alburger, Katherine A

Saved on

compared with

New Version 16

changes.mady.by.user Alburger, Katherine A

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Title: PCI-DSS Compliance (Payment Card Industry Data Security Standards)
Subject: Credit and Debit Card Payments
Policy No: Fin: 2019:01  
Applies: University-Wide
Issuing Authority: President
Responsible Officer: Senior Vice President for Finance & CFO; Senior Vice President for Information Resources and Technology & CIO
Adopted: 03/18/2019
Last Revision: 0305/1809/20192022
Last Reviewed: 0305/1809/20192022


I. PURPOSE

The purpose of this policy is to provide appropriate Payment Card Industry (PCI)-related guidance to departments that engage in storing, transmitting, and processing credit and debit card payments collected from customers for goods sold, services rendered, and/or other University related activities. 

...

  1. The intent of these procedures is to:
    1. Provide guidance to departments and all individuals with responsibility, authority, and stewardship over credit card and debit card payments being transacted on behalf of Rowan University from customers for goods or services provided, as well as, for other University related activities
    2. Standardize documentation on PCI Compliance for future personnel and supervisory turnover
    3. Educate new personnel with minimal PCI Compliance experience on appropriate procedures associated to compliant processing of credit card and debit card payments and other activities
    4. Minimize institutional risks associated to data breaches that can result from PCI-DSS non-compliance
    5. Set a University-wide Best Practice regarding PCI Compliance
    6. Establish Internal Controls for security and compliance purposes
  2. The PCI Compliance Procedures are as follows:
    1. Credit Card Processing:
      1. Departments may accept credit card numbers online, in-person, over the telephone, or by mail. Telephone payments require special approval by PCI Compliance Committee. Departments are not permitted to accept credit card payments via e-mail, fax, or consumer messaging (Skype, Instant Message, Facebook, etc…). It is best not to include e-mail addresses or fax numbers on credit card data entry form as this may mislead customers into thinking that they can submit this via this method.
      2. Credit card numbers may not be received via email or fax, this is not a secure transmission method. If an email is received, do not process the payment. Respond to the sender indicating that said payment cannot be processed through an email or fax request. Make sure the credit card number does not appear in your response and immediately delete the original email containing the credit card number.
      3. Paper records that include cardholder data (CD) or sensitive authentication data (SAD) must be treated as follows:
        1. Whenever possible this information should not be written down.
        2. Authorization forms or pieces of scrap paper that include this information must have this information blacked out immediately after the transaction is processed. A Redacting Pen is the only acceptable method of redacting this information. Please contact the Office of the Bursar if you need a redacting pen.
        3. It is the employee’s reasonability to ensure after using the Redacting Pen that the data is unreadable.
      4. Mail that is believed to contain CD or SAD should not be opened unless it is going to be processed immediately.
        1. If forms or mail containing this data must be temporarily stored, the forms or mail should be stored immediately in a locked storage bin, lockbox or safe.
        2. All forms that are no longer needed should be moved to a shredding bin immediately, or at minimum at the end of each business day.
        3. If non-CD/SAD information on an authorization form must be retained, departments must create new forms so that the CD and SAD data can easily be destroyed as outlined above, and the other non-sensitive data can be stored as needed.
      5. Retention of Card Holder Data
        1. Card holder data must not be stored electronically on the University network under any circumstance. Hence there is a retention period of 0 days for card holder data being stored electronically on the Rowan University network.
        2. Card holder data that is received over the phone should be entered directly into a card reader without having to be written down. However, if it is necessary to write the card holder data down on a paper form it must be processed immediately and must be redacted and placed in a University shred bin immediately after it has been processed.  Hence there is a retention period of 0 days for card holder data that is received over the phone and written down on paper. 
        3. Card holder data that is received by way of the mail should be processed immediately. However, if absolutely necessary it can be stored for no longer than 3 days within a locked safe, and must be redacted and placed in a University shred bin immediately after it has been processed. 
        4. Card holder data that is received through any other means or that exists on physical paper and has been processed must be redacted and placed in a University shred bin immediately after it has been processed. Hence there is a retention period of 0 days for card holder data existing on physical paper that has been processed.
    2. Inspection of Point of Interaction (POI) devices:
      1. Department supervisors are responsible for ensuring all POI devices used within their department are inspected at the start of each business day.
          Inspection of Point of Interaction (POI) devices:
          1. Department supervisors are responsible for ensuring all POI devices used within their department are inspected at the start of each business day.
            1. Users should look for signs of tampering of the device.
            2. Users should verify that card skimmers have not been added to the device.
            3. Users should verify the device has not been replaced with a different device.
          2. Only Rowan University employees should inspect POI devices.
          3. If an individual from outside of Rowan University is going have to inspect a device it must be preapproved.
          4. Department supervisors must implement the POI Device Daily Inspection Log that will track the daily inspection of POI devices (Attachment 4). Those logs must be kept in safe location for a period of two years.
          5. If a POI device is no longer needed it needs to be returned to the PCI Compliance Committee so that they can maintain and track device inventory. Please notify the Office of the Bursar of any unused POI devices.
          6. Only the PCI Compliance Committee can coordinate the disposal of POI devices.
          7. All POI devices must safeguarded and out of public reach.
        1. All computers being used to process credit card payments should be connected directly (hard wired) to the secure Rowan University network:
          1. Personnel should not use personal computers or laptops to process credit card transactions.
          2. No data entry of credit card information can be entered via the keyboard. All entry of credit card information must be entered via an approved Rowan Credit Card reader or swipe device.
        2. If credit card numbers are taken over the phone, it is important to be sure that those phone conversations are not being recorded:
          1. Currently Rowan University does not record telephone calls.
          2. If these phone calls were ever to become recorded it is imperative that Rowan University secure PAN data within voice recordings. If SAD is verified to exist in recordings, Rowan should remove historical recordings and prevent SAD from being stored in recordings going forward.
          3. As it stands, only the Rowan University Foundation is permitted to accept credit card payments over the telephone.
        3. Printers Printers:
          1. Printing of credit card data is strictly prohibited.
        4. Credit card transactions are processed in one of three ways: Through Heartland terminals/reader, through a website hosted by the University where the credit card payment is made via a third party processor, such as authorize.net, or through a website hosted by a third party.
        5. For in-person payments, processing of credit card and debit card transactions should only be done using the POI card reader device.
        6. User Ids and Passwords:
          1. Each staff member that is processing credit card and debit card transactions should have their own log in ID and Password for both the University network and the credit card and debit card processing software.
          2. Personnel should not share IDs and Passwords.
          3. Users should not write down their IDs and Passwords.
          4. Users should be sure that when establishing IDs and Passwords they choose strong authentication credentials.
          5. When changing passwords users should not reuse old passwords.
          6. And if there is ever suspicion that a password might be compromised users should proactively update that password even if it has not yet expired.
        7. It is the responsibility of all Rowan University personnel to notify the PCI Compliance Committee (Bursar and Information Security) immediately in the event of suspected fraud or data breach.
        8. It is the responsibility of the supervisor overseeing a department that is processing credit card or debit card payments to ensure they work with the PCI Compliance Committee to:
          1. Keep the Credit/Debit Card Merchant Inventory Log up to date.
          2. Use the New Credit/Debit Card Merchant Request Form to request a new or subsequent POI devices for the sake of processing credit card and debit card payments.
          3. Identify positions that require access to payment card data and system components and limit access to only employees whose job requires such access. Be sure to deactivate/remove access when they no longer require access to cardholder environments.
          4. Provide a proper control environment, including segregation of duties, for processing payment card transactions.
          5. Ensure that all employees handling or with access to cardholder data are properly trained via the review of this document and other security requirements set by IRT.
          6. Inform the PCI Compliance Committee BEFORE changes are made to the merchant environment or method of payment card acceptance. Such changes include, but are not limited to:
            1. Adding new payment processing methods to an existing merchant account (e.g. adding web payments to a card-present only environment)
            2. New or changed payment application, including changing to a third-party hosting system
            3. Departmental contact responsible for the merchant account.
          7. Consult with the PCI Compliance Committee prior to signing contracts with payment card service providers to ensure PCI contract language has been included in any new renewed master agreements.

      ...