ECKERD COLLEGE
Payment Card Industry Data Security Standard (PCI DSS) Policy
Payment Card Industry Data Security Standard Policy
Page 1
1.0
BACKGROUND INFORMATION -------------------------------------------------------------------------------------------------------- 3
2.0
PURPOSE ------------------------------------------------------------------------------------------------------------------------------------ 3
3.0
DEFINITIONS -------------------------------------------------------------------------------------------------------------------------------- 3 1. 2. 3. 4. 5. 6. 7. 8.
Cardholder Data ------------------------------------------------------------------------------------------------------------------ 3 Cardholder Information Security Program (CISP) ---------------------------------------------------------------------- 3 Data Security Standards --------------------------------------------------------------------------------------------------------- 3 Merchant Account ----------------------------------------------------------------------------------------------------------------- 3 Merchant----------------------------------------------------------------------------------------------------------------------------- 4 Payment Card Industry Council (PCI) -------------------------------------------------------------------------------------- 4 Self-Assessment -------------------------------------------------------------------------------------------------------------------- 4 Sensitive Data ---------------------------------------------------------------------------------------------------------------------- 4
4.0
AUTHORITY AND RESPONSIBILITY --------------------------------------------------------------------------------------------------- 4
5.0
PROCEDURES ------------------------------------------------------------------------------------------------------------------------------- 4
6.0
COMPLIANCE CERTIFICATION PROCESS -------------------------------------------------------------------------------------------- 5
APPENDIX A - CONFIDENTIALITY / NON-DISCLOSURE STATEMENT - PROCESSORS ------------------------------------------- 6
Payment Card Industry Data Security Standard Policy
Page 2
1.0 Background Information The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements for credit card account data security, developed by the credit card industry in response to an increase in identity theft and credit card fraud. As a merchant who handles credit card data, Eckerd College is obliged to safeguard that information and adhere to the standards established by the Payment Card Industry Council including setting up controls for handling credit card data, computer and internet security and completing an annual self assessment questionnaire.
2.0 Purpose The purpose of this policy is to define the guidelines for accepting and processing credit cards and storing personal cardholder information to comply with the Payment Industry’s Data Security Standards.
3.0 Definitions
1. Cardholder Data Cardholder Data represents any personal information of the cardholder. This could be an account number, expiration date, name, address, telephone number, social security number, card validation code (CVC), or any other cardholder’s identifying information. 2. Cardholder Information Security Program (CISP) The Visa’s Cardholder Information Security Program (CISP) is designed to ensure that all merchants that store, process, or transmit Visa cardholder data, protect it properly. 3. Data Security Standards Standards developed by the PCI Council to assure consumers that their brands and credit cards are reliable and secure. These standards include controls for safe handling of sensitive consumer information. 4. Merchant Account An account established for a unit by a bank to credit sale amounts and debit processing fees.
Payment Card Industry Data Security Standard Policy
Page 3
5. Merchant An organization, department, institution or unit that accepts credit cards as a method of payment for goods, services, information, or gifts. 6. Payment Card Industry Council (PCI) The PCI is a group formed by the credit card industry (VISA, MasterCard, Discover and American Express to establish Data Security Standards (DSS) for the industry. https://www.pcisecuritystandards.org/
7. Self-Assessment The PCI Self-Assessment Questionnaire (SAQ) is a validation tool that is primarily used by merchants to demonstrate compliance to the PCI DSS. The current version of the SAQ, (posted at https://www.pcisecuritystandards.org/tech/supporting_documents.htm), is based on the current version of the Payment Card Industry (PCI) Data Security Standard (DSS).
8. Sensitive Data Sensitive Data include, the account number, magnetic stripe data, CVV2/CVC2 and expiration date.
4.0 Authority and Responsibility The Bursar’s office is responsible for issuing credit card merchant accounts and for overseeing policies and procedures regarding payment processing. Information Technology Service (ITS) is responsible for the operation of the College’s data networks including all merchant services systems.
5.0 Procedures All credit card and debit card transaction acceptance, including web-based transactions, must be managed through the College’s Bursar. Additionally, to ensure that all transactions are handled according to this Policy, sale of goods and services to entities outside the college should be reviewed and approved by the Controller’s Office. Departments, who need to accept credit/debit cards and obtain a physical terminal to either swipe or key transactions, need to contact the Bursar’s Office to execute the required paper work, obtain a Merchant Number, and be given direction as how to process those transactions for accounting purposes.
Payment Card Industry Data Security Standard Policy
Page 4
All transactions that the College processes must meet the standards outlined in the Policy. 1. Whenever possible, direct all in-person and telephone payments to the Bursar’s Office for processing. 2. Electronic credit card numbers should not be transmitted or stored on a personal computer or e-mail account. Electronic lists of customer’s credit card numbers should not be retained. Credit card information should only be accepted online, by telephone, mail, or in person. This information should not be accepted via e-mail and departments should not e-mail credit card information. Lock computer terminals and paper storage areas when unattended. 3. Physical cardholder data must be locked in a secure area. Access should be limited to individuals that require the use of the data. Access should also be restricted on a ‘need to know’ basis. 4. Only essential information should be stored. Do not store the Card Validation Code (also known as the Security Digits, V Code, or CID). Do not store users PIN’s or the full data from a cards magnetic stripe. 5. Credit card information should be destroyed by shredding (cross-cut) immediately after processing. 6. Copies of credit card information should only be retained for the time needed to process, or if retained for reconciliation, for as long as one-year maximum if necessary. 7. Credit card receipts may only show the up to the last five digits of the credit card number. If receipts show more than the last five digits, the receipts must be shredded or retained in a secure area. 8. Limit access to computing resources and cardholder information only to those individuals whose job requires such access. 9. All departments must comply with the Payment Card Industry Data Security Standard
6.0 Compliance Certification Process Staff responsible for processing, storing or transmitting credit card data must sign a PCI confidentiality statement - Appendix A.
Payment Card Industry Data Security Standard Policy
Page 5
Appendix A - Confidentiality / Non-Disclosure Statement Processors As a member of the staff of Eckerd College, I acknowledge that in the course of my employment I may have access to personal, proprietary, transaction-specific, and /or otherwise confidential data concerning faculty, staff, students, alumni and/or other persons through the processing of credit card transactions. As an individual with responsibilities for processing, storing and/or transmitting credit card data, I may have direct access to sensitive and confidential information in paper or electronic format. To protect the integrity and the security of the systems and processes as well as the personal and proprietary data of those to whom the College provides service, and to preserve and maximize the effectiveness of College’s resources, I agree to the following: •
I will maintain the confidentiality of my password and will not disclose it to anyone.
•
I will utilize credit card data for College business purposes only.
•
I will uphold Eckerd College’s Code of Conduct, available at www.eckerd.edu/hr, and I agree to abide by it.
•
I will verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
•
I will be vigilant and be aware of suspicious behavior around devices.
•
I will report suspicious behavior and indications of device tampering or substitution to the Bursar who will report to Campus Safety.
•
I have been provided a copy of the College’s Payment Data Card Security Standard Policy regarding the proper storing, protection, and disposal of such confidential data and I will ensure that any such data is shredded or otherwise disposed of as per approved office policy when no longer needed.
•
I have read, understand, and agree to abide by the PCI DSS Policy. Any violations to this Policy will be grounds for disciplinary action up to and including termination of employment from Eckerd College.
Name (Print) _______________________Signature__________________________ Date: _____
Department_________________________ Supervisor________________________ Date:_____
Payment Card Industry Data Security Standard Policy
Page 6