ROWAN UNIVERSITY POLICY

Title: PCI-DSS Compliance (Payment Card Industry Data Security Standards)
Subject: Credit and Debit Card Payments
Policy No: Fin: 2019:01  
Applies: University-Wide
Issuing Authority: President
Responsible Officer: Senior Vice President for Finance & CFO; Senior Vice President for Information Resources and Technology & CIO
Adopted: 03/18/2019
Last Revision: 03/18/2019
Last Reviewed: 03/18/2019

I. PURPOSE

The purpose of this policy is to provide appropriate Payment Card Industry (PCI)-related guidance to departments that engage in storing, transmitting, and processing credit and debit card payments collected from customers for goods sold, services rendered, and/or other University related activities. 

II. ACCOUNTABILITY

At the direction of the Senior Vice President for Finance & CFO (SVP & CFO) and the Senior Vice President for Information Resources and Technology & CIO (SVP & CIO), the University's PCI Compliance Committee shall implement this policy. The committee consists of the Director for Business Affairs & Bursar (Chair), Director of Information Security, Assistant Bursar for Financial Operations, and the Manager of Information Security.

All managers and supervisors of departments, as well as, their subordinates, who process credit and debit card payments on behalf of the University, are responsible for complying with this policy.

III. APPLICABILITY

This policy is applicable to all individuals who have the responsibility, authority, and stewardship over credit card and debit card payments processed by the University, and those who process credit and debit card payments on behalf of the University.

IV. DEFINITIONS

1. PCI-DSS: Payment Card Industry Data Security Standards.  PCI DSS are a set of security standards designed by the PCI Security Standards Council to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment to protect and safeguard cardholder personal information data.
2. PCI-DSS SAQ: Payment Card Industry Data Security Standard Self-Assessment Questionnaire is a validation tool intended to assist merchants and service providers who are permitted by the payment brands to self-evaluate their compliance with the Payment Card Industry Data Security Standard.  This questionnaire is filled out on a yearly basis by the University’s PCI committee. The SVP & CFO is the officer responsible for signing the attestation of compliance.
3. AOC:  Attestation of Compliance.  This document must be completed by a Qualified Security Assessor (QSA) or by the merchant as a declaration of the merchant's compliance status with the Payment Card Industry Data Security Standard (PCI DSS).
4. Point of Interaction (POI): A hardware or software component in a point of sale equipment (e.g., a magnetic card reader) that enables a consumer to use a credit card or debit card to make a purchase.
5. Card Skimmer: A devices that is used to collect data from the magnetic stripe of a credit, debit or ATM card. This information, copied onto another blank card's magnetic stripe, is then used by an identity thief to make purchases or withdraw cash in the name of the actual account holder.
6. Cardholder Data (CD):  Any personally identifiable information (PII) associated with a person who has a credit or debit card. Cardholder data includes the primary account number (PAN) along with any of the following data types: cardholder name, expiration date or service code.
7. Sensitive Authentication Data (SAD): Security-related information including, but not limited to, card validation codes/values (e.g., three-digit or four-digit value printed on the front or back of a payment card, such as CVV2 and CVC2 data, full magnetic stripe data, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.
8. ASV: Approved Scanning Vendor.  This is a third party organization that is certified to perform quarterly external IP address network vulnerability scans that are done to ensure all PCI compliance requirements are met.
9. Merchants: An area or department of the University that accepts payments for goods, services, and other University related items. Each department is issued a Merchant ID by Heartland.

V. POLICY

Merchants are continuously assessed and evaluated by the PCI Compliance Committee in order to maintain compliance with PCI-DSS.

If merchants are found to be out of compliance at any point, the PCI Compliance Committee will contact the merchant representative to discuss the deficiency and recommend the action needed to achieve compliance.  Since Rowan University views non-compliant merchant accounts as a high financial risk to the institution, it is expected that the merchant will address this issue of non-compliance immediately. Merchants that remain out of compliance without approval may have their ability to accept credit cards suspended or revoked.

The PCI Compliance Committee will maintain an inventory of all credit card and debit cards merchant IDs and merchant equipment.  Requests for a new merchant will have to be formally submitted, by way of the New Credit/Debit Card Merchant Request Form, to the Director for Business Affairs & Bursar and/or the Assistant Bursar of Financial Operations for review and approval. Once approved, a contract is generated by University’s existing payment processor and signed by the SVP & CFO.

The PCI Compliance Committee will review the PCI compliance procedures once per year for possible revisions. This committee will provide training on PCI compliance procedures as needed and/or upon request.

VI. ATTACHMENTS

1. Attachment 1 – PCI Compliance Procedures
2. Attachment 2 – New Credit/Debit Card Merchant Request Form
3. Attachment 3 – POI Device Daily Inspection Log

ATTACHMENT 1
PCI COMPLIANCE PROCEDURES

1. The intent of these procedures is to:
1. Provide guidance to departments and all individuals with responsibility, authority, and stewardship over credit card and debit card payments being transacted on behalf of Rowan University from customers for goods or services provided, as well as, for other University related activities
2. Standardize documentation on PCI Compliance for future personnel and supervisory turnover
3. Educate new personnel with minimal PCI Compliance experience on appropriate procedures associated to compliant processing of credit card and debit card payments and other activities
4. Minimize institutional risks associated to data breaches that can result from PCI-DSS non-compliance
5. Set a University-wide Best Practice regarding PCI Compliance
6. Establish Internal Controls for security and compliance purposes
2. The PCI Compliance Procedures are as follows:
1. Credit Card Processing:
   1. Departments may accept credit card numbers online, in-person, over the telephone, or by mail. Telephone payments require special approval by PCI Compliance Committee. Departments are not permitted to accept credit card payments via e-mail, fax, or consumer messaging (Skype, Instant Message, Facebook, etc…). It is best not to include e-mail addresses or fax numbers on credit card data entry form as this may mislead customers into thinking that they can submit this via this method.
   2. Credit card numbers may not be received via email or fax, this is not a secure transmission method. If an email is received, do not process the payment. Respond to the sender indicating that said payment cannot be processed through an email or fax request. Make sure the credit card number does not appear in your response and immediately delete the original email containing the credit card number.
   3. Paper records that include cardholder data (CD) or sensitive authentication data (SAD) must be treated as follows:
      1. Whenever possible this information should not be written down.
      2. Authorization forms or pieces of scrap paper that include this information must have this information blacked out immediately after the transaction is processed. A Redacting Pen is the only acceptable method of redacting this information. Please contact the Office of the Bursar if you need a redacting pen.
      3. It is the employee’s reasonability to ensure after using the Redacting Pen that the data is unreadable.
   4. Mail that is believed to contain CD or SAD should not be opened unless it is going to be processed immediately.
      1. If forms or mail containing this data must be temporarily stored, the forms or mail should be stored immediately in a locked storage bin, lockbox or safe.
      2. All forms that are no longer needed should be moved to a shredding bin immediately, or at minimum at the end of each business day.
      3. If non-CD/SAD information on an authorization form must be retained, departments must create new forms so that the CD and SAD data can easily be destroyed as outlined above, and the other non-sensitive data can be stored as needed.
2. Inspection of Point of Interaction (POI) devices:
   1. Department supervisors are responsible for ensuring all POI devices used within their department are inspected at the start of each business day.
      1. Users should look for signs of tampering of the device.
      2. Users should verify that card skimmers have not been added to the device.
      3. Users should verify the device has not been replaced with a different device.
   2. Only Rowan University employees should inspect POI devices.
   3. If an individual from outside of Rowan University is going have to inspect a device it must be preapproved.
   4. Department supervisors must implement the POI Device Daily Inspection Log that will track the daily inspection of POI devices (Attachment 4). Those logs must be kept in safe location for a period of two years.
   5. If a POI device is no longer needed it needs to be returned to the PCI Compliance Committee so that they can maintain and track device inventory. Please notify the Office of the Bursar of any unused POI devices.
   6. Only the PCI Compliance Committee can coordinate the disposal of POI devices.
   7. All POI devices must safeguarded and out of public reach.
3. All computers being used to process credit card payments should be connected directly (hard wired) to the secure Rowan University network:
   1. Personnel should not use personal computers or laptops to process credit card transactions.
   2. No data entry of credit card information can be entered via the keyboard. All entry of credit card information must be entered via an approved Rowan Credit Card reader or swipe device.
4. If credit card numbers are taken over the phone, it is important to be sure that those phone conversations are not being recorded:
   1. Currently Rowan University does not record telephone calls.
   2. If these phone calls were ever to become recorded it is imperative that Rowan University secure PAN data within voice recordings. If SAD is verified to exist in recordings, Rowan should remove historical recordings and prevent SAD from being stored in recordings going forward.
   3. As it stands, only the Rowan University Foundation is permitted to accept credit card payments over the telephone.
5. Printers:
   1. Printing of credit card data is strictly prohibited.
6. Credit card transactions are processed in one of three ways: Through Heartland terminals/reader, through a website hosted by the University where the credit card payment is made via a third party processor, such as authorize.net, or through a website hosted by a third party.
7. For in-person payments, processing of credit card and debit card transactions should only be done using the POI card reader device.
8. User Ids and Passwords:
   1. Each staff member that is processing credit card and debit card transactions should have their own log in ID and Password for both the University network and the credit card and debit card processing software.
   2. Personnel should not share IDs and Passwords.
   3. Users should not write down their IDs and Passwords.
   4. Users should be sure that when establishing IDs and Passwords they choose strong authentication credentials.
   5. When changing passwords users should not reuse old passwords.
   6. And if there is ever suspicion that a password might be compromised users should proactively update that password even if it has not yet expired.
9. It is the responsibility of all Rowan University personnel to notify the PCI Compliance Committee (Bursar and Information Security) immediately in the event of suspected fraud or data breach.
10. It is the responsibility of the supervisor overseeing a department that is processing credit card or debit card payments to ensure they work with the PCI Compliance Committee to:
    1. Keep the Credit/Debit Card Merchant Inventory Log up to date.
    2. Use the New Credit/Debit Card Merchant Request Form to request a new or subsequent POI devices for the sake of processing credit card and debit card payments.
    3. Identify positions that require access to payment card data and system components and limit access to only employees whose job requires such access. Be sure to deactivate/remove access when they no longer require access to cardholder environments.
    4. Provide a proper control environment, including segregation of duties, for processing payment card transactions.
    5. Ensure that all employees handling or with access to cardholder data are properly trained via the review of this document and other security requirements set by IRT.
    6. Inform the PCI Compliance Committee BEFORE changes are made to the merchant environment or method of payment card acceptance. Such changes include, but are not limited to:
       1. Adding new payment processing methods to an existing merchant account (e.g. adding web payments to a card-present only environment)
       2. New or changed payment application, including changing to a third-party hosting system
       3. Departmental contact responsible for the merchant account.
    7. Consult with the PCI Compliance Committee prior to signing contracts with payment card service providers to ensure PCI contract language has been included in any new renewed master agreements.

ATTACHMENT 2
NEW CREDIT/DEBIT CARD MERCHANT REQUEST FORM

Rowan University
Credit Card Reader Request Form

ROWAN UNIVERSITY
OFFICE OF THE BURSAR

By signing this document, I certify that I have read and agree to abide by all terms of the Rowan University PCI (Payment Card Industry) Policy (https://go.rowan.edu/pci), and that upon approval to receive a credit card reader, I will take appropriate action necessary to ensure that all staff members who will be processing credit card payments using that reader will abide by the terms of the Rowan University PCI Policy, and will also complete all security awareness training that is required by the PCI Compliance IRT.

Department:____________________________________________________

Reason for request: 

Name of Person Initiating the Request (Please Print): 

______________________________________________________________________

Signature of Person Initiating the Request: 

______________________________________________________________________

Name of Department VP (Please Print):

______________________________________________________________________

Signature of Department VP:

______________________________________________________________________

All requests will be reviewed and ultimately approved or denied by the Office of the Bursar in conjunction with the Information Security Office.  There may be the need for a site visit so that the location in which the credit card reader will be used can be fully assessed to ensure it meets all of the PCI DSS (Data Security Standards) requirements.

ATTACHMENT 3
POI DEVICE DAILY INSPECTION LOG