ROWAN UNIVERSITY POLICY

Title: PCI-DSS Compliance (Payment Card Industry Data Security Standards)
Subject: Credit and Debit Card Payments
Policy No: Fin: 2019:01  
Applies: University-Wide
Issuing Authority: President
Responsible Officer: Senior Vice President for Finance & CFO; Senior Vice President for Information Resources and Technology & CIO
Adopted: 03/18/2019
Last Revision: 03/07/2023
Last Reviewed: 03/07/2023

I. PURPOSE

The purpose of this policy is to:

1. 1. Establish University-wide standards to ensure PCI-DSS compliance. 
   2. Provide guidance to individuals with responsibility, authority, and stewardship over credit card and debit card payments.
   3. Minimize institutional risks associated with data breaches resulting from PCI-DSS non-compliance.

II. ACCOUNTABILITY

At the direction of the Senior Vice President for Finance & CFO (SVP & CFO) and the Senior Vice President for Information Resources and Technology & CIO (SVP & CIO), the University's PCI Compliance Committee shall implement and maintain this policy. The Vice Presidents, Deans, and other members of management shall implement this policy in their respective areas.

III. APPLICABILITY

This policy applies to all individuals who have the responsibility, authority, and stewardship over credit card and debit card payments processed by the University, and those who process credit and debit card payments on behalf of the University.

IV. DEFINITIONS

1. Payment Card Industry Data Security Standards (PCI-DSS): PCI-DSS are a set of security standards designed by the PCI Security Standards Council to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment to protect and safeguard cardholder personal information and data.
2. PCI Security Standards Council:  An organization created by the major credit card companies in an effort to better protect credit card data.
3. Attestation of Compliance (AOC): This document must be completed by a Qualified Security Assessor (QSA) or by the merchant as a declaration of the merchant's compliance status with the Payment Card Industry Data Security Standard.
4. Qualified Security Assessor (QSA):  A designation conferred by the PCI Security Standards Council to those individuals that meet specific information security education requirements, have taken the appropriate training from the PCI Security Standards Council, are employees of a Qualified Security Assessor (QSA) company or approved PCI security and auditing firm, and will be performing PCI compliance assessments as they relate to the protection of credit card data.
5. Self-Assessment Questionnaire (SAQ): The SAQ is a validation tool intended to assist merchants and service providers who are permitted by the payment brands to self-evaluate their compliance with the Payment Card Industry Data Security Standard.  This questionnaire is filled out on a yearly basis by the PCI Compliance Committee. The SVP & CFO is the officer responsible for signing the attestation of compliance.
6. Approved Scanning Vendor (ASV): This is a third party organization that is certified to perform external IP address network vulnerability scans that are done to ensure all PCI compliance requirements are met. 
7. Merchant: An area or department of the University that accepts payments by way of credit or debit card for goods, services, and other University related items. Each department is issued a Merchant ID by Rowan’s Approved and Exclusive Third Party Credit Card Processor.
8. Cardholder Data (CHD): Any personally identifiable information (PII) associated with a person who has a credit or debit card. Cardholder data includes the primary account number (PAN) along with any of the following data types: cardholder name, expiration date or service code.
9. Sensitive Authentication Data (SAD): Security-related information including, but not limited to, card validation codes/values (e.g., three-digit or four-digit value printed on the front or back of a payment card, such as CVV2 and CVC2 data, full magnetic stripe data, PINs, and PIN blocks used to authenticate cardholders and/or authorize payment card transactions.
10. Virtual Credit Card: A temporary credit card number that typically can only be processed one time for an exact dollar amount.
11. Card Skimmer: A device that is attached to a credit card reader or it’s wiring and is used to collect data from the magnetic stripe of a credit, debit or ATM card. This information, copied onto another blank card's magnetic stripe, is then used by an identity thief to make purchases or withdraw cash in the name of the actual account holder.

Refer to the Rowan University Technology Terms and Definitions for technology terms and definitions that are used in this policy.

V. POLICY

1. PCI Compliance Committee

1. 1. The University shall establish and maintain a PCI Compliance Committee to manage and oversee compliance with the PCI Standards set forth by the Payment Card Industry Security Standards Council.
   2. The Office of the Bursar and the Information Security Office shall designate members to the PCI Compliance Committee. 
   3. The Office of the Bursar and the Information Security Office shall have equal decision making authority within the PCI Compliance Committee.  
   4. The PCI Compliance Committee must maintain an inventory of all approved payment processing systems and merchant equipment to ensure only PCI-compliant hardware and software is in use.
   5. The PCI Compliance Committee must review all AOCs on an annual basis.
   6. The PCI Compliance Committee must complete the required SAQs on an annual basis for each credit card processing merchant. 
   7. The PCI Compliance Committee must ensure regularly scheduled network scans (if applicable) are completed by an approved scanning vendor. 
   8. The PCI Committee will notify any merchant found to be out of compliance and ensure appropriate mitigation plans are developed and implemented to bring them into compliance.
   9. This committee will provide training on PCI compliance procedures as needed and/or upon request.
2. Merchant Registration:
   1. New Registration 
      1. Departments looking to process credit card transactions on behalf of the University for the first time must submit a Rowan University Credit Card Processing Merchant Request Form  to be considered for approval by the PCI Compliance Committee.
   2. Existing Registration 
      1. Departments already processing credit card transactions that are interested in changing their existing processing environment must also submit a Rowan University Credit Card Processing Merchant Request Form to be considered for approval by the PCI Compliance Committee.
   3. All credit card processing systems must be compatible with the University’s Approved and Exclusive Third Party Credit Card Processor.
   4. New merchant requests require a new merchant contract to be established between Rowan’s Approved and Exclusive Third Party Credit Card Processor and Rowan University.  CFO or the CFO designee signature is required.
   5. All software and equipment that is connected to a new or existing merchant must be approved prior to implementation.
   6. Requestors are responsible for all costs associated with credit card processing software and equipment.
3. Credit Card Readers and Online Payment Gateways:
   1. All payment processing systems and services must be reviewed and approved through the ITAP process and the PCI Compliance Committee prior to use at the University.
   2. All credit card readers must be listed as approved devices on the PCI Security Standards Council website.
   3. All credit card readers must be configured with Point to Point Encryption Solutions that are listed on the PCI Security Standards Council website.
   4. All secure online Payment Gateway technology must have a valid and up to date PCI-DSS Attestation of Compliance (AOC).  The AOC must be issued within the last year and reviewed on an annual basis. 
   5. Non-mobile credit card processing devices and systems (such as DESK3500 and ipp320 with Bill and Pay) must be connected directly (hard wired) to the secure Rowan University network.
   6. Mobile or wireless credit card processing devices must communicate by way of a cellular connection and cannot connect over wifi. 
4. Merchant Compliance:
   1. All University merchants must maintain compliance with this policy and related procedures.
   2. Merchants that are out of compliance with this policy must work with the PCI Compliance Committee to address and resolve any deficiencies immediately.
   3. Merchants unable to maintain PCI Compliance will have their ability to accept credit cards suspended or revoked.
5. Processing Cardholder Data:
   1. Cardholder data can only be received in-person to be processed through a credit card reader, online through a secure payment gateway or by way of postal mail in which case it is also processed through a credit card reader. 
   2. Cardholder data cannot be received or exchanged over the telephone.
   3. Cardholder data cannot be emailed, faxed, scanned or printed.
      1. Receipts generated by credit card readers and online payment gateways with properly truncated credit card numbers are acceptable.
   4. If cardholder data is received by email or fax, notify the sender that the payment cannot be processed. Notification cannot contain credit card information.  Ensure original email with credit card information is deleted.
   5. Personal devices such as computers, laptops, phones and other end user devices may not be used to exchange or process credit card data.
   6. Offices receiving cardholder data via postal service must maintain:
      1. A locked mailbox for delivery of incoming mail.
      2. A locked safe for in-process storage.
   7. If not being processed immediately, mail with card holder data must be stored in the locked safe.  Credit card data should never be left unattended.
   8. Credit card data captured on mailed in paper forms must be redacted using redacting pens, and then shredded immediately after processing.
      1. Forms used to capture credit card data must be approved by the PCI Compliance Committee. 
      2. Forms used to capture credit card data cannot include e-mail addresses and fax numbers.
   9. Rowan University staff, departments and its systems do NOT retain any credit card data.  The retention period for credit card data at the University is zero days.
   10. Staff members processing credit card data should each have their own log in to both the RU network and credit card processing software being used.  IDs and passwords should not be shared.
   11. Credit card data cannot be entered via a computer keyboard or other non-approved data entry devices.
   12. Please contact the PCI Compliance Committee, through the Office of the Bursar, if you have questions about how to process credit card not present refunds.  SOM Medicine Offices should contact the Central Billing Office about credit card not present refunds.
   13. Although virtual credit card numbers do not fall within the scope of PCI compliance, if a department anticipates receiving virtual credit card data they should inform the PCI Compliance Committee.
6. Credit Card Reader Maintenance:
   1. Department supervisors are responsible for ensuring all credit card reader devices used within their department are inspected at the start of each business day.
      1. Verify that non-mobile devices are fully hardwired to the Rowan University network.  Processing with non-mobile devices wirelessly through laptops is prohibited.
      2. Look for signs of tampering.
      3. Verify that card skimmers have not been added to the device.
      4. Verify the device has not been replaced with a different device.
   2. Department supervisors must implement the Credit Card Reader Daily Inspection Log that will track the daily inspection of credit card readers.  These logs must be kept in a safe location for a period of two years.
   3. Only Rowan University employees should inspect credit card reader devices.
   4. All credit card reader devices must be safeguarded and out of public reach.
   5. If a credit card reader device is no longer needed it needs to be returned to the PCI Compliance Committee.  Please notify the Office of the Bursar if necessary.
   6. Credit card reader devices cannot be transferred or relocated without approval from the Office of the Bursar.
7. Additional Merchant Responsibilities:
   1. It is the responsibility of the supervisor overseeing a department that is processing credit card or debit card payments to ensure they work with the PCI Compliance Committee to:
      1. Ensure that all employees processing or with access to cardholder data are properly trained via the review of this document, the completion of Rowan University’s PCI Compliance Training and any other required security training set forth by IRT.
      2. Identify positions that require access to payment card data and system components and limit access to only employees whose jobs’ require such access.  Be sure to deactivate/remove access when they no longer require access to cardholder environments.
         1. This may require contacting the Office of the Bursar.
      3. Provide a proper control environment, including segregation of duties, for processing payment card transactions.
   2. Department managers are responsible for overseeing the processing of refunds.
   3. Only department managers or designated staff should have access to process credit card refunds. 
   4. If a credit card reader or system allows for a passcode to be entered in order to process a refund the manager should have the refund passcode set-up and ensure that it is distributed to only limited designated staff that are allowed to process refunds. 
   5. It is the responsibility of all Rowan University personnel to notify the PCI Compliance Committee (Office of the Bursar and Information Security Office) immediately in the event of suspected fraud or data breach.
      https://confluence.rowan.edu/display/POLICY/Security+Incident+Management+Policy

VI. ATTACHMENTS

1. Attachment 1 – PCI Compliance Procedures
2. Attachment 2 – New Credit/Debit Card Merchant Request Form
3. Attachment 3 – POI Device Daily Inspection Log

ATTACHMENT 1
PCI COMPLIANCE PROCEDURES

1. The intent of these procedures is to:
1. Provide guidance to departments and all individuals with responsibility, authority, and stewardship over credit card and debit card payments being transacted on behalf of Rowan University from customers for goods or services provided, as well as, for other University related activities
2. Standardize documentation on PCI Compliance for future personnel and supervisory turnover
3. Educate new personnel with minimal PCI Compliance experience on appropriate procedures associated to compliant processing of credit card and debit card payments and other activities
4. Minimize institutional risks associated to data breaches that can result from PCI-DSS non-compliance
5. Set a University-wide Best Practice regarding PCI Compliance
6. Establish Internal Controls for security and compliance purposes
2. The PCI Compliance Procedures are as follows:
1. Credit Card Processing:
   1. Departments may accept credit card numbers online, in-person, over the telephone, or by mail. Telephone payments require special approval by PCI Compliance Committee. Departments are not permitted to accept credit card payments via e-mail, fax, or consumer messaging (Skype, Instant Message, Facebook, etc…). It is best not to include e-mail addresses or fax numbers on credit card data entry form as this may mislead customers into thinking that they can submit this via this method.
   2. Credit card numbers may not be received via email or fax, this is not a secure transmission method. If an email is received, do not process the payment. Respond to the sender indicating that said payment cannot be processed through an email or fax request. Make sure the credit card number does not appear in your response and immediately delete the original email containing the credit card number.
   3. Paper records that include cardholder data (CD) or sensitive authentication data (SAD) must be treated as follows:
      1. Whenever possible this information should not be written down.
      2. Authorization forms or pieces of scrap paper that include this information must have this information blacked out immediately after the transaction is processed. A Redacting Pen is the only acceptable method of redacting this information. Please contact the Office of the Bursar if you need a redacting pen.
      3. It is the employee’s reasonability to ensure after using the Redacting Pen that the data is unreadable.
   4. Mail that is believed to contain CD or SAD should not be opened unless it is going to be processed immediately.
      1. If forms or mail containing this data must be temporarily stored, the forms or mail should be stored immediately in a locked storage bin, lockbox or safe.
      2. All forms that are no longer needed should be moved to a shredding bin immediately, or at minimum at the end of each business day.
      3. If non-CD/SAD information on an authorization form must be retained, departments must create new forms so that the CD and SAD data can easily be destroyed as outlined above, and the other non-sensitive data can be stored as needed.
   5. Retention of Card Holder Data
      1. Card holder data must not be stored electronically on the University network under any circumstance. Hence there is a retention period of 0 days for card holder data being stored electronically on the Rowan University network.
      2. Card holder data that is received over the phone should be entered directly into a card reader without having to be written down. However, if it is necessary to write the card holder data down on a paper form it must be processed immediately and must be redacted and placed in a University shred bin immediately after it has been processed.  Hence there is a retention period of 0 days for card holder data that is received over the phone and written down on paper. 
      3. Card holder data that is received by way of the mail should be processed immediately. However, if absolutely necessary it can be stored for no longer than 3 days within a locked safe, and must be redacted and placed in a University shred bin immediately after it has been processed. 
      4. Card holder data that is received through any other means or that exists on physical paper and has been processed must be redacted and placed in a University shred bin immediately after it has been processed. Hence there is a retention period of 0 days for card holder data existing on physical paper that has been processed.
2. Inspection of Point of Interaction (POI) devices:
   1. Department supervisors are responsible for ensuring all POI devices used within their department are inspected at the start of each business day.
      1. Users should look for signs of tampering of the device.
      2. Users should verify that card skimmers have not been added to the device.
      3. Users should verify the device has not been replaced with a different device.
   2. Only Rowan University employees should inspect POI devices.
   3. If an individual from outside of Rowan University is going have to inspect a device it must be preapproved.
   4. Department supervisors must implement the POI Device Daily Inspection Log that will track the daily inspection of POI devices (Attachment 4). Those logs must be kept in safe location for a period of two years.
   5. If a POI device is no longer needed it needs to be returned to the PCI Compliance Committee so that they can maintain and track device inventory. Please notify the Office of the Bursar of any unused POI devices.
   6. Only the PCI Compliance Committee can coordinate the disposal of POI devices.
   7. All POI devices must safeguarded and out of public reach.
3. All computers being used to process credit card payments should be connected directly (hard wired) to the secure Rowan University network:
   1. Personnel should not use personal computers or laptops to process credit card transactions.
   2. No data entry of credit card information can be entered via the keyboard. All entry of credit card information must be entered via an approved Rowan Credit Card reader or swipe device.
4. If credit card numbers are taken over the phone, it is important to be sure that those phone conversations are not being recorded:
   1. Currently Rowan University does not record telephone calls.
   2. If these phone calls were ever to become recorded it is imperative that Rowan University secure PAN data within voice recordings. If SAD is verified to exist in recordings, Rowan should remove historical recordings and prevent SAD from being stored in recordings going forward.
   3. As it stands, only the Rowan University Foundation is permitted to accept credit card payments over the telephone.
5.  Printers:
   1. Printing of credit card data is strictly prohibited.
6. Credit card transactions are processed in one of three ways: Through Heartland terminals/reader, through a website hosted by the University where the credit card payment is made via a third party processor, such as authorize.net, or through a website hosted by a third party.
7. For in-person payments, processing of credit card and debit card transactions should only be done using the POI card reader device.
8. User Ids and Passwords:
   1. Each staff member that is processing credit card and debit card transactions should have their own log in ID and Password for both the University network and the credit card and debit card processing software.
   2. Personnel should not share IDs and Passwords.
   3. Users should not write down their IDs and Passwords.
   4. Users should be sure that when establishing IDs and Passwords they choose strong authentication credentials.
   5. When changing passwords users should not reuse old passwords.
   6. And if there is ever suspicion that a password might be compromised users should proactively update that password even if it has not yet expired.
9. It is the responsibility of all Rowan University personnel to notify the PCI Compliance Committee (Bursar and Information Security) immediately in the event of suspected fraud or data breach.
10. It is the responsibility of the supervisor overseeing a department that is processing credit card or debit card payments to ensure they work with the PCI Compliance Committee to:
    1. Keep the Credit/Debit Card Merchant Inventory Log up to date.
    2. Use the New Credit/Debit Card Merchant Request Form to request a new or subsequent POI devices for the sake of processing credit card and debit card payments.
    3. Identify positions that require access to payment card data and system components and limit access to only employees whose job requires such access. Be sure to deactivate/remove access when they no longer require access to cardholder environments.
    4. Provide a proper control environment, including segregation of duties, for processing payment card transactions.
    5. Ensure that all employees handling or with access to cardholder data are properly trained via the review of this document and other security requirements set by IRT.
    6. Inform the PCI Compliance Committee BEFORE changes are made to the merchant environment or method of payment card acceptance. Such changes include, but are not limited to:
       1. Adding new payment processing methods to an existing merchant account (e.g. adding web payments to a card-present only environment)
       2. New or changed payment application, including changing to a third-party hosting system
       3. Departmental contact responsible for the merchant account.
    7. Consult with the PCI Compliance Committee prior to signing contracts with payment card service providers to ensure PCI contract language has been included in any new renewed master agreements.

ATTACHMENT 2
NEW CREDIT/DEBIT CARD MERCHANT REQUEST FORM

Rowan University
Credit Card Reader Request Form

ROWAN UNIVERSITY
OFFICE OF THE BURSAR

By signing this document, I certify that I have read and agree to abide by all terms of the Rowan University PCI (Payment Card Industry) Policy (https://go.rowan.edu/pci), and that upon approval to receive a credit card reader, I will take appropriate action necessary to ensure that all staff members who will be processing credit card payments using that reader will abide by the terms of the Rowan University PCI Policy, and will also complete all security awareness training that is required by the PCI Compliance IRT.

Department:____________________________________________________

Reason for request: 

Name of Person Initiating the Request (Please Print): 

______________________________________________________________________

Signature of Person Initiating the Request: 

______________________________________________________________________

Name of Department VP (Please Print):

______________________________________________________________________

Signature of Department VP:

______________________________________________________________________

All requests will be reviewed and ultimately approved or denied by the Office of the Bursar in conjunction with the Information Security Office.  There may be the need for a site visit so that the location in which the credit card reader will be used can be fully assessed to ensure it meets all of the PCI DSS (Data Security Standards) requirements.

ATTACHMENT 3
POI DEVICE DAILY INSPECTION LOG