Vanderbilt University

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Vanderbilt University"

Transcription

1 Vanderbilt University Payment Card Processing and PCI Compliance Policy and Procedures Manual PCI Compliance Office Information Technology Treasury VUMC Finance

2 Table of Contents Policy... 2 I. Purpose... 2 II. Overview... 2 III. Applicability... 2 IV. Definitions... 2 V. Policy Details... 3 a. Background Information... 3 b. Authority and Delegation... 3 c. Applicable Policies and Standards... 3 d. Core Responsibilities... 5 e. Consequences of Non-Compliance... 6 VI. Related Links... 6 VII. Contact Information... 6 Procedures Manual Detailed Responsibilities... 7 a. PCI Compliance Office:... 7 b. Vanderbilt University Information Technology:... 7 c. Treasury:... 9 d. VUMC Finance:... 9 e. Departmental Merchants Merchant Account Approval and Setup a. Merchant Account Application Merchant Account Fees Third-Party Vendors and Service Providers Operating on Vanderbilt s Campus Procedures for Handling Cardholder Data a. Acceptance b. Retention and Disposal c. Annual PCI DSS Self-Assessment d. Response to a Security Breach e. Alteration of Card Processing Environment APPENDIX A Payment Card Merchant Compliance Statement Last Revised: 7/28/2015 1

3 Policy I. Purpose The purpose of this policy is to minimize the chances of credit card fraud, hacking, and various other security vulnerabilities and threats, and to minimize the possibility of a breach of cardholder data by adhering to the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS was developed by the founding members of the Payment Card Industry Security Standards Council (PCI SSC). The PCI SSC is responsible for managing the security standards, while compliance is enforced by the card brands, namely American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. II. Overview Vanderbilt University has a fiduciary responsibility to patients, students, donors, customers and payment card processors to comply with the PCI DSS when handling payment card transactions. Non-compliance can result in serious consequences for Vanderbilt, including reputational damage, loss of customers, litigation, and substantial financial costs. The objectives of this policy are to: ensure compliance with the PCI DSS and other applicable policies and standards, establish the governance structure for payment card processing and compliance activities at Vanderbilt, define responsibilities for payment card services to various Vanderbilt constituents, and provide general guidelines regarding the handling of cardholder data. III. Applicability This policy applies to all personnel who store, process, transmit, or have access to cardholder data, including all faculty, staff, contractors, and students who are employed by Vanderbilt University. This policy also applies to any employee who contracts with a third party vendor to handle and/or process cardholder data on behalf of Vanderbilt University. All vendors, contractors, and business partners who store, process, transmit, or have access to cardholder data on behalf of Vanderbilt must contractually agree to be compliant with the current version of the PCI DSS at all times. IV. Definitions Acquiring bank is typically a financial institution that processes payment card transactions for merchants. It is defined by a payment brand as an acquirer. Cardholder data is any personally-identifiable data associated with a cardholder. Examples include, but are not limited to: account number, expiration date, card type, name, address, and card validation code the three or four-digit value printed on the front or back of a payment card referred to as CAV, CVC, CVV, or CSC depending on the payment card brand. The term cardholder data is interchangeable with payment card data throughout this policy. Merchant refers to a Vanderbilt department or operating area that has applied for and been approved to accept credit/debit card payments by either Treasury or VUMC Finance for goods and/or services. A merchant is assigned a specific merchant account (MID), which is used to process all credit/debit card transactions via a Vanderbilt-approved payment card processor. Payment card processor is the entity engaged by a merchant to handle payment card transactions on its behalf and can also be referred to as a payment gateway. Payment processors are not considered acquirers. Payment card processing is defined as using any application or device to process a credit/debit card transaction as payment for goods or services from a Vanderbilt merchant. Last Revised: 7/28/2015 2

4 Payment card refers to both credit and debit cards. The Vanderbilt/Commodore campus card issued by Vanderbilt Card Services is exempt from the PCI DSS. V. Policy Details a. Background Information Vanderbilt accepts payment cards as a convenience to its patients, students, donors and customers. To protect their payment card information and Vanderbilt s reputation and to reduce the financial risk or impact associated with a breach of payment card information; this policy addresses Vanderbilt s responsibilities to abide by the PCI DSS and other applicable policies and standards. In order for a department, or any other entity at Vanderbilt, to process payment card transactions, it must be established as a merchant. Departments may accept VISA, MasterCard, Discover, American Express, and debit cards with a VISA or MasterCard logo. All merchants at Vanderbilt are required to use the university s acquiring bank, presently Elavon, to process payment card transactions. Any exception must be approved in advance by the university treasurer and vice chancellor for finance. b. Authority and Delegation The vice chancellors for administration, finance and VUIT have overall authority to ensure PCI DSS compliance for Vanderbilt University. The vice chancellors have delegated authority to their respective designees to define responsibilities for payment card services and modify this policy as necessary, provided that all modifications are consistent with the current PCI DSS in effect. c. Applicable Policies and Standards In addition to the directives and procedures set forth in this policy, any employee, contractor, or agent who, in the course of doing business on behalf of Vanderbilt, is involved in the handling of payment card processing must adhere to the following applicable policies and standards: Vanderbilt Computing Privileges and Responsibilities: Acceptable Use Policy Excerpt from Section III.C.1 and 2: Acceptable Use Policy Fiduciary Responsibilities 1. Vanderbilt Community Members Members of the Vanderbilt community possess a great personal responsibility to themselves and to other community members to utilize technology while maintaining their fiduciary responsibilities. These responsibilities include, but are not limited to: a. Being responsible for the security of one s personal information b. Protecting personal and private information of others c. Taking care to minimize risks of various undesirable events, such as disclosure of sensitive personal information, identify theft, and even threats to personal safety when using Vanderbilt information technology assets Last Revised: 7/28/2015 3

5 2. Information Technology Professionals Vanderbilt Information Technology (IT) professionals are granted elevated or privileged access to Vanderbilt University s information and information systems. This privileged access places the Vanderbilt IT professional in a higher level of trust. To maintain this level of trust, Vanderbilt IT professionals must develop, maintain, and continually enhance their skills and abilities on behalf of those they serve. IT professionals employed by Vanderbilt University must strive to be trusted and highly skilled custodians through: a. Preserving confidentiality b. Protecting data and information integrity c. Establishing and maintaining availability of information systems d. Educating those around them about IT and social risks related to information systems e. Enhancing and maintaining technical skills f. Demonstrating an understanding of the areas served Human Resources Policy HR-025: Electronic Communications Policy VUMC Information Privacy and Security Policies Information Privacy and Security - Policies IM Confidentiality of Protected Patient Information M Breach Notification: Unauthorized Access, Use, or Disclosure of Individually Identifiable Patient or Other Personal Information IM Access to Confidential Information IM Faxing Confidential Information IM Privacy and Information Security Training IM Disposal of Confidential Information IM Access to Protected Patient Information by Job Role IM Sanctions for Privacy and Information Security Violations IM Authorization and Access to Electronic Systems and Applications IM Electronic Messaging of Individually Identifiable Patient and Other Sensitive Information Payment Card Industry Data Security Standard The PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store, or transmit cardholder data. It consists of common sense steps that mirror security best practices. Below is a high-level overview of the PCI DSS. The complete standard is accessible at the PCI Security Council website. Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data Requirement 3: Protect stored cardholder data. Requirement 4: Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software or programs. Requirement 6: Develop and maintain secure systems and applications. Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need to know. Requirement 8: Assign a unique ID to each person with computer access. Last Revised: 7/28/2015 4

6 Requirement 9: Restrict physical access to cardholder data. Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for all personnel. d. Core Responsibilities The vice chancellors for administration, finance and VUIT have overall authority to ensure PCI DSS compliance for Vanderbilt University. Core responsibilities for each designee are listed below (a more detailed list of responsibilities is listed in the procedures manual section of this document): The PCI Compliance Steering Committee is responsible for creating effective lines of accountability, responsibility and authority for compliance with the PCI DSS and Payment Application Data Security Standards (PA-DSS) within their area(s) of responsibility; approving policies, procedures, and guidelines related to PCI DSS compliance as presented by the Operational Committee; receiving and providing input into PCI solution presentations by the Operational Committee; assisting the PCI Compliance Office in bringing non-responsive, noncompliant merchant departments into compliance prior to their payment card privilege being terminated; approving/denying merchant requests to process payment cards using non-compliant and/or high-risk techniques; and providing input in the Vanderbilt Incident Response Plan in the event of a data breach. The PCI Operations Team is responsible for recommending policies, procedures, and guidelines related to PCI DSS compliance to the Steering Committee for informational purposes and/or approval; building and maintaining secure networks, payment applications, systems and related infrastructure; assisting new merchants who wish to begin accepting credit card payments to be PCI compliant before accepting payment card transactions; assisting in facilitating and scheduling ongoing network scanning and penetration testing for applicable merchants; implementing new mandates issued by the PCI Security Standards Council and conforming to the evolving PCI DSS; assisting merchants in reducing their PCI scope to minimize the chance of a data breach; providing periodic updates at Steering Committee meetings; and maintaining compliance with the PCI DSS at all times. The PCI Compliance Office (PCIO) is responsible for the oversight and administration of the PCI compliance process at Vanderbilt. This process includes initiating and overseeing an annual PCI DSS self-assessment for each merchant, making appropriate revisions to this policy as needed and coordinating any remediation activities as required by the PCI DSS or other applicable policies and standards. Other responsibilities include providing annual security awareness & training programs, approving requests for new merchant accounts, approving Vanderbilt-hosted and thirdparty hosted payment processing applications, and reviewing third-party credit card processing vendors and service providers for compliance. Information Technology (VUIT) is responsible for maintaining and disseminating security policies and procedures that address PCI DSS requirements, testing Vanderbilt s infrastructure and network environment, and assisting the PCIO in completing the technical sections of the annual PCI DSS self-assessment questionnaire (SAQ). In addition, VUIT is responsible for configuring and managing applications and infrastructure that store, process or transmits cardholder data in compliance with PCI DSS and Vanderbilt security requirements, limiting access to IT resources and cardholder data and for maintaining Vanderbilt s Institutional Information Technology PCI Procedures document. The Office of the Treasurer is responsible for the agreement with an acquiring bank, ensuring new Last Revised: 7/28/2015 5

7 merchant account (MID) applications are requested by the appropriate level employee of a department (See Merchant Account Responsible Person, Procedures Manual Section 1. E.), and initial setup and ongoing administration of all university merchant accounts. Key responsibilities include approval of merchant applications once the PCIO has approved the requestor s payment card transaction process and procurement of credit card terminals and other equipment. The VUMC divisional controller is responsible for initial setup and ongoing administration of all VUMC merchant accounts. Key responsibilities include approval of merchant applications once the PCIO has approved the payment card transaction process and procurement of credit card terminals and other equipment. Departmental Merchants are responsible for ensuring that all business process documents for accepting, processing, retaining, and disposing of cardholder data are updated and comply with the PCI DSS and all other applicable policies and standards. Departmental merchants are responsible for performing an annual PCI DSS self-assessment questionnaire (SAQ) in partnership with the PCI Compliance Office. Departmental employees who are involved in the storing, processing, transmitting, or have access to cardholder data are responsible for completing PCI DSS training upon hire and at least annually. All employees will acknowledge reading and understanding these security policies and procedures, and will comply with these policies. e. Consequences of Non-Compliance Non-compliance can result in serious consequences for Vanderbilt, including reputational damage, loss of customers, litigation, and substantial financial costs. Failure to comply with this policy and/or applicable policies, standards, and procedures carries severe consequences which may include: loss of the ability to process payment card transactions, departmental repayment of financial costs imposed on Vanderbilt, and employee disciplinary action, which can include termination of employment. The vice chancellor for administration and the treasurer have the authority to terminate merchant accounts for non-compliance while the PCIO can suspend merchants for the same reason. VI. Related Links Vanderbilt University: PCI Policy and Procedures Manual (Will be posted once this document is approved) Payment Card Industry Data Security Standard (PCI DSS): American Express: Discover Financial Services: MasterCard Worldwide: Visa Inc.: VII. Contact Information For questions or comments regarding this policy, contact: PCI Compliance Office PMB Last Revised: 7/28/2015 6

8 Procedures Manual 1. Detailed Responsibilities While section V.d above lists core responsibilities for each Vanderbilt constituent, this section provides a more detailed list of responsibilities for the PCI Compliance Office, Information Technology, Treasury, VUMC Finance and departmental merchants. a. Responsibilities of the PCI Compliance Office: Comply with all current PCI DSS requirements. Establish, document, and distribute payment card processing and compliance policies and procedures. Assess merchant payment applications for PCI compliance prior to merchant accounts being processed by Treasury and VUMC Finance. Provide a PCI security awareness & training program to ensure that all employees who process or have access to the cardholder data environment are knowledgeable of Vanderbilt s policies and procedures on the acceptance, processing, retention, disposal and security of cardholder data. Obtain and retain on file a signed Payment Card Merchant Compliance Statement from all merchant account responsible employees. This statement includes acknowledgement by the employee that he/or she has read and understood this Payment Card Processing and Compliance Policy and Procedures Manual (Appendix A). Incorporate this type of document in the training program. Perform an annual assessment of Vanderbilt s card processing activities across the enterprise, in partnership with VUIT and, frequently, an independent compliance partner that is certified by the cardholder industry. Assist merchants with the completion and submission of all PCI DSS self-assessment questionnaires. Work with non-compliant merchants to implement appropriate remediation activities. Provide regular status updates to the director for Business Services. Escalate to the PCI Steering Committee merchants not meeting PCI requirements Regularly monitor the payment card data environment and update policies and procedures to address changes, such as technological improvements. Verify that VUIT s institutional Information Technology Procedures document includes an annual risk assessment process that identifies threats, vulnerabilities, and results in a formal risk assessment. This risk assessment will be reviewed, at a minimum, annually. Maintain a repository of merchant information, assessment, and related documents including completed self-assessment questionnaires, remediation plans, data flow diagrams, and a list of current merchants and key business and technical contacts. Maintain a registry of all card processing devices (e.g., swipe terminals, point-of-sale devices, vending systems) and all computer systems (e.g., workstations, kiosks, web servers, database servers) involved in the storage, processing, and/or transmission of cardholder data. Maintain a list of authorized third-party credit card processing vendors and service providers with key business and technical contacts. For all service providers, a written agreement must be on file. This agreement must include: 1) acknowledgement by the service provider that it is responsible for the security of cardholder data processed through its system, and 2) obtain documentation annually indicating that the service provider is PCI DSS compliant, 3) review contracts for appropriate PCI DSS language, 4) ensure contracts are retained in the applicable contract management systems (e.g., VandyConTracs). Maintain and coordinate a unified PCI DSS change management process for all merchants that includes a cross functional review of all new payment card processing activities or significant changes to these activities including (but not limited to) any changes to cardholder data flows, vendors used for payment card processing, system or application upgrades/migrations, or any change that results or could result in a change in PCI DSS compliance status (from non-compliant to compliant or vice versa) b. Responsibilities of Vanderbilt University Information Technology: Comply with all current PCI DSS requirements. Maintain the VUIT institutional Information Technology Procedures document, including an annual risk assessment process that identifies threats and vulnerabilities, and results in a formal risk assessment. This risk assessment will be reviewed, at a minimum, annually. Last Revised: 7/28/2015 7

9 Disseminate VUIT security policies and procedures that address PCI DSS requirements. Assist merchants and the PCIO in completing the technical sections of their annual selfassessment questionnaires. Provide technical oversight to ensure compliance of new and existing applications and their related hardware through a coordinated process with the PCI Compliance Office, the merchant and, if necessary, a PCI Qualified Security Assessor; Review logs, at least daily, for those servers that perform security functions like intrusiondetection system (IDS) and authentication, authorization, and accounting protocol servers. Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. Test, at least annually, the security incident response plan. Test, at least quarterly, for the presence of wireless access points by using a wireless analyzer or deploying a wireless IDS/IPS to identify all wireless devices in use. For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes. Run internal network vulnerability scans on IP addresses used in the processing of payment card transactions, at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, or product upgrades). Coordinate the scheduling of external scans and penetration testing on public-facing IP addresses used in the processing of payment card transactions at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub network added to the environment, or a web server added to the environment). Have the authority to make final interpretations of technical PCI DSS requirements for Vanderbilt. In coordination with the PCIO, work with Vanderbilt s Qualified Security Assessor(s) and Authorized Scanning Vendor(s) during engagements. Develop and implement decommissioning strategies to properly dispose of computer systems and devices that process payment card data. Manage all computer systems and other IT resources in a manner that complies with PCI DSS and Vanderbilt security requirements. Limit access to computing resources (e.g., computers, mobile devices) only to those individuals whose jobs require such access. Assist the merchant and PCI Compliance Office in completing the technical sections of the annual self-assessment questionnaire. Remove and destroy electronically stored cardholder data in coordination with merchants and the PCIO. Review logs, at least daily, for all system components. Log reviews must include those servers that perform security functions like intrusion-detection system and authentication, authorization, and accounting protocol servers. Retain audit trail history of payment card transactions for at least one year, with a minimum of three months immediately available for analysis (e.g., online, archived, or restorable from backup). Deploy anti-virus software on all systems and ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software. Assign all employees with access to a payment application a unique network ID before allowing them to access system components or cardholder data. User names and passwords may not be shared. Passwords must be changed every 90 days. Assign all IT employees and third-party technical support personnel who have access to payment applications, related databases and networks that store, transmit or process cardholder data with unique sign-on IDs. User names and passwords may not be shared. Passwords must be changed every 90 days. Store media back-ups in a secure location and review the location s security at least annually. Classify the media so it can be identified as confidential. (Note: As a good business practice, backups should not be retained any longer than required.) For encryption of cardholder data, verify that key management procedures are implemented, at least annually, to require periodic cryptographic key changes. Last Revised: 7/28/2015 8

10 Disable and remove inactive user application and network accounts based on HR and merchant notifications at least every 90 days. Create and maintain the PCI VLAN network, a secure network dedicated for systems that process and/or transmit cardholder data. Migrate all systems that process and/or transmit cardholder data to the PCI VLAN network, a dedicated and secure network created and maintained by VUIT. Provide resources to the merchant and the PCIO which can describe current technical processes and configurations to a sufficient degree to validate the compliance state of devices, systems, applications, infrastructure and processes utilized in the storage, processing or transmission of cardholder data. Establish firewall and router configuration standards to ensure that all systems are protected from unauthorized access. Configuration standards are to be reviewed in accordance with Vanderbilt s security policies. Limit access to network resources (e.g., network jacks, wireless access points, gateways) only to those individuals whose jobs require such access. VUIT employees who are involved in the storing, processing, transmitting, or have access to the cardholder data environment must complete PCI training upon hire and at least annually. c. Responsibilities of Treasury: Comply with all current PCI DSS requirements. Select an acquiring bank and manage the associated agreement. Assist Vanderbilt University departments with the submission of merchant account applications. Review and approve (where appropriate) merchant applications once the PCIO has approved the requestor s payment card transaction process and procurement of credit card terminals and other equipment Negotiate fee structures and agreements with acquiring banks and third-party credit card processing vendors. Administer merchant accounts, including additions, deletions and modifications. Place orders for card terminals and other equipment on behalf of merchants. d. Responsibilities of VUMC Finance: Comply with all relevant PCI DSS requirements. Assist Vanderbilt University Medical Center departments with the submission of merchant account applications. Review and approve/deny merchant account applications. Ensure the PCI Compliance Office has reviewed and approved all merchant payment applications prior to approving new or modified merchant account requests. Maintain a list of authorized Vanderbilt University Medical Center merchants and key operational and technical contact information for each merchant. Place orders for card terminals and other equipment on behalf of merchants. e. Responsibilities of Departmental Merchants Within each department, there are specific responsibilities assigned to the departmental business manager or fiscal officer, who is ultimately responsible for the merchant account, and the employees handling cardholder data. These responsibilities are as follows: Merchant Account Responsible Person will: Comply with all relevant PCI DSS requirements. Must be a departmental business manager, fiscal officer or equivalent position. Ensure that all business processes for accepting, processing, retaining, and disposing of cardholder data are updated, documented and comply with the PCI DSS and this policy. Read the VU Payment Card Issuance and Compliance Policy and Procedures Manual and sign an annual Payment Card Merchant Compliance Statement. Identify positions that require access to payment card data and system components and limit access to only those employees whose job requires such access. Request VUIT deactivate/remove user s application and network access when there is no longer a need to access cardholder data environments. Last Revised: 7/28/2015 9

11 Provide a proper control environment, including segregation of duties, for processing payment card transactions. Procure card terminals and other equipment through the Office of the Treasurer for university departments and VUMC Finance for VUMC departments. Maintain a departmental listing of all applicable card processing devices and computer systems. Limit access to computing resources (e.g., computers, mobile devices) only to those individuals whose jobs require such access. Dispose all payment card processing equipment at account termination in conformity with VUIT standards. Contact the PCIO for more information. Ensure that employees have reviewed and understand their responsibilities outlined in this policy and procedures manual and have been properly trained on departmental business processes for handling cardholder data. Notify the PCI Compliance Office of all employee changes in positions that require the handling of and/or access to cardholder data. Perform an annual self-assessment in partnership with the PCI Compliance Office. Obtain approval from the PCI Compliance Office before requesting a Merchant Account in order to establish the department s and payment application s ability to comply with PCI standards. Inform the PCI Compliance Office in the event of changes to the merchant environment or method of payment card acceptance. Such changes include, but are not limited to: o departmental website, o products or services for sale, o intended customer base, o anticipated transaction volume, o outside advertising, o application software, and/or o departmental contacts responsible for the e-commerce account. Consult with the PCI Compliance Office prior to signing contracts with payment card service providers to ensure PCI contract language has been included in any new or renewed master agreement. Responsibilities of Departmental Employees: Comply with all relevant PCI DSS requirements. Departmental employees who are involved in the storing, processing, transmitting, or have access to cardholder data are responsible for ensuring successful completion PCI DSS training upon hire and at least annually. Notify the merchant account responsible person immediately in the event of suspected fraud or data breach. 2. Merchant Account Approval and Setup Departments may accept and process payment cards via in-person, mail order, telephone order, and/or via an ecommerce website. In order to do so, a department must first have a merchant account. University departments must request this account through the Treasurer Office while VUMC departments must request this account through the VUMC Finance Office. Departments cannot independently contract with third-party credit card processing vendors and services providers; all such contracts are handled by the Treasurer s Office. a. Merchant Account Application For University Departments: The first step for a university department to accept credit card payments is to complete a Request to Process Credit Cards document obtained from the PCIO website and submitted to the PCI Compliance Office Program Coordinator. This document must be signed by the department head and (What did we decide for this term?) before submission to the PCIO. Once the PCIO reviews a request, a meeting will be scheduled to discuss the department s needs and Last Revised: 7/28/

12 how best to meet those needs. It is strongly advised that software not be purchased until there is the approval of the PCIO because the payment application may not meet PCI compliance requirements. In addition, PCI contractual information must be included in all master agreements involving software purchases where payment cards can be processed. This contractual verbiage can be obtained from either Procurement Services or the PCIO. After the PCIO has approved the request, it will be passed to Treasury. The Office of the Treasurer will provide a merchant application and open a new merchant account. Once the merchant account (MID) has been assigned the PCIO will provide information to the merchant to complete the account s initial annual compliance. For VUMC Departments: The first step for a VUMC department to accept credit card payments is to complete a Request to Process Credit Cards document obtained from the PCIO website and submitted to the PCI Compliance Office Program Coordinator. This document must be signed by the department head and (same as above) before submission to the PCIO. Once the PCIO reviews a request, a meeting will be scheduled to discuss the department s needs and how best to meet those needs. It is strongly advised that software not be purchased until there is the approval of the PCIO because the payment application may not meet PCI compliance requirements. In addition, PCI contractual information must be included in all master agreements involving software purchases where payment cards can be processed. This contractual verbiage can be obtained from either Procurement Services or the PCIO. After the PCIO has approved the request, it will be passed to VUMC Finance. VUMC Finance will provide a merchant application and open a new merchant account. Once the merchant account (MID) has been assigned the PCIO will provide information to the merchant to complete the account s initial annual compliance. 3. Merchant Account Fees For university departments, merchants are responsible for all costs associated with payment card processing. These costs include, but are not limited to, merchant account setup & administrative fees, equipment purchases, recurring monthly costs, and fees based on a percentage of every transaction from each credit card brand. For Medical Center departments, merchants will follow the VUMC policy. Typically, merchant fees for patient-related collections are charged at an overhead cost while non-patient merchant fees are charged to the department. 4. Third-Party Vendors and Service Providers Operating on Vanderbilt s Campus Third-party vendors and service providers contracted by Vanderbilt must process payment cards and handle cardholder data according to the PCI DSS. Vanderbilt reserves the right at any time to request either proof of PCI DSS compliance or a certification (from a recognized third-party IT audit and compliance firm) verifying that the vendor/service provider uses secure standard financial industry practices in its financial transactions. 5. Procedures for Handling Cardholder Data Payment cards may be accepted by departments for various purposes including patient payments, course tuitions and fees, and the sale of goods and services. The vice chancellor for finance or treasurer may revoke a department s ability to accept payment cards if the department violates any part of this policy and/or places Vanderbilt at risk by not being PCI compliant. The PCIO may suspend a merchant s ability to process payment cards for the same reasons listed above. Employees whose duties require handling of cardholder data should adhere to the following guidelines for the acceptance, processing, retention, and disposal of this information. Modifications to these guidelines may be appropriate depending on the occurrence and volume of transactions that a merchant processes. Last Revised: 7/28/

13 a. Acceptance Verify signature of cardholder at the time of the transaction for card-present transactions. Obtain the signature of the cardholder on the receipt and provide a duplicate copy to the cardholder. Verify payment card s expiration date is valid. Verify that only the last four digits of the payment card number are printed on the receipt. If accepting cardholder data via a fax, locate fax machine in a secured, non-public area with limited access. Payment card charges should not exceed transaction amount of purchase. Refunds must be made to the payment card used during the transaction. No transactions should be refunded in cash or to a different payment card. Do not accept cardholder data via end-user messaging technologies (e.g., , voic , instant messaging, and text messaging). b. Retention and Disposal Cardholder data cannot be retained/stored electronically or in paper form. c. Annual PCI DSS Self-Assessment The PCIO will contact each merchant to schedule their annual self-assessment. Each merchant must complete an annual self-assessment questionnaire to attest compliance with this policy, PCI DSS, and other applicable standards and policies. Merchants found not in compliance will work with the PCIO to implement appropriate remediation activities. d. Response to a Security Breach In the event of a breach, including the suspicion that payment card data has been exposed, lost, stolen, or misused, the merchant must immediately contact the PCI Office at or e. Alteration of Card Processing Environment Any alteration of the card processing environment must receive prior written approval by the PCI Compliance Office. Changes include but are not limited to: the use of existing merchant accounts for a purpose different from the one specified in the merchant application/renewal, the alteration of business processes that are not specifically addressed by this policy, the addition or alteration of payment card processing devices systems, technologies, or channels, and the addition or alteration of relationships with third-party payment card service providers. Last Revised: 7/28/

14 APPENDIX A Payment Card Merchant Compliance Statement As a Vanderbilt employee with responsibilities for handling payment cards and cardholder data, I recognize that I have access to sensitive and confidential information. I will strive to protect Vanderbilt and its customers at all times when making decisions concerning payment cards and cardholder data, and I agree with the following statements: I have read, understand, and agree to abide by Vanderbilt s Payment Card Processing and Compliance Policy and Procedures Manual. I will utilize cardholder data for Vanderbilt business purposes only. I will not use or distribute cardholder data for personal purposes. I understand that such actions are illegal and grounds for prosecution. I understand that in cases where I suspect a breach of security, including the suspicion that cardholder data has been exposed, lost, stolen, or misused, I must immediately contact the PCI Compliance Office. If I am the MID responsible person, I understand that I must maintain documented and effective business processes for accepting, processing, retaining, and disposing of cardholder data. I understand that failure to comply with this policy and/or applicable policies, standards, and procedures carries severe consequences, which may include loss of the ability to process payment card transactions and disciplinary action, which can include termination of employment. Employee Name: Print Name Signature Date VUNet ID Department MID Name of Merchant Account (DBA) Department Head: Print Name Signature Date Last Revised: 7/28/

Emory University & Emory Healthcare

Emory University & Emory Healthcare Emory University & Emory Healthcare Payment Card Processing and Compliance Policy and Procedures Manual Office of Cash and Debt Management Mailstop 1599-001-1AE 1599 Clifton Road, 3 rd Floor Atlanta, GA

More information

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures 1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities

More information

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011 CREDIT CARD MERCHANT PROCEDURES MANUAL Effective Date: 5/25/2011 Updated: May 25, 2011 TABLE OF CONTENTS Introduction... 1 Third-Party Vendors... 1 Merchant Account Set-up... 2 Personnel Requirements...

More information

6-8065 Payment Card Industry Compliance

6-8065 Payment Card Industry Compliance 0 0 0 Yosemite Community College District Policies and Administrative Procedures No. -0 Policy -0 Payment Card Industry Compliance Yosemite Community College District will comply with the Payment Card

More information

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect

More information

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration

More information

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Mission Statement Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance

More information

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013 05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

Saint Louis University Merchant Card Processing Policy & Procedures

Saint Louis University Merchant Card Processing Policy & Procedures Saint Louis University Merchant Card Processing Policy & Procedures Overview: Policies and procedures for processing credit card transactions and properly storing credit card data physically and electronically.

More information

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL PAYMENT CARD INDUSTRY COMPLIANCE (PCI) Effective June 1, 2011 Page 1 of 6 (1) Definitions a. Payment Card Industry Data Security Standards (PCI-DSS): A set of standards established by the Payment Card

More information

Office of Finance and Treasury

Office of Finance and Treasury Office of Finance and Treasury How to Accept & Process Credit and Debit Card Transactions Procedure Related Policy Title Credit Card Processing Policy For University Merchant Locations Responsible Executive

More information

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements

More information

POLICY SECTION 509: Electronic Financial Transaction Procedures

POLICY SECTION 509: Electronic Financial Transaction Procedures Page 1 POLICY SECTION 509: Electronic Financial Transaction Procedures Source: NDSU President NDSU VP for Finance and Administration NDSU VP for Information Technology A. Purpose / Rationale Many NDSU

More information

Appendix 1 Payment Card Industry Data Security Standards Program

Appendix 1 Payment Card Industry Data Security Standards Program Appendix 1 Payment Card Industry Data Security Standards Program PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect

More information

Accounting and Administrative Manual Section 100: Accounting and Finance

Accounting and Administrative Manual Section 100: Accounting and Finance No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security

More information

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services Louisiana State University Finance and Administrative Services Operating Procedure FASOP: AS-22 CREDIT CARD MERCHANT POLICY Scope: All campuses served by Louisiana State University (LSU) Office of Accounting

More information

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account

More information

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor

More information

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder

More information

PCI General Policy. Effective Date: August 2008. Approval: December 17, 2015. Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

PCI General Policy. Effective Date: August 2008. Approval: December 17, 2015. Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS: Effective Date: August 2008 Approval: December 17, 2015 PCI General Policy Maintenance of Policy: Office of Student Accounts PURPOSE: To protect against the exposure and possible theft of account and personal

More information

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business DELAWARE COLLEGE OF ART AND DESIGN 600 N MARKET ST WILMINGTON DELAWARE 19801 302.622.8000 INFORMATION SECURITY POLICY including Policy for Credit Card Acceptance to Conduct College Business stuff\policies\security_information_policy_with_credit_card_acceptance.doc

More information

Credit and Debit Card Handling Policy Updated October 1, 2014

Credit and Debit Card Handling Policy Updated October 1, 2014 Credit and Debit Card Handling Policy Updated October 1, 2014 City of Parkville 8880 Clark Ave. Parkville, MO 64152 Hours: 8:00-5:00 p.m. Monday -Friday Phone Number 816-741-7676 Email: cityhall@parkvillemo.gov

More information

PCI Policies 2011. Appalachian State University

PCI Policies 2011. Appalachian State University PCI Policies 2011 Appalachian State University Table of Contents Section 1: State and Contractual Requirements Governing Campus Credit Cards A. Cash Collection Point Approval for Departments B. State Requirements

More information

Accepting Payment Cards and ecommerce Payments

Accepting Payment Cards and ecommerce Payments Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont

More information

University Policy Accepting and Handling Payment Cards to Conduct University Business

University Policy Accepting and Handling Payment Cards to Conduct University Business BROWN UNIVERSITY University Policy Accepting and Handling Payment Cards to Conduct University Business Table of Contents Purpose... 2 Scope... 2 Authorization... 2 Establishing a new account... 2 Policy

More information

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration

More information

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6 1. Procedure Title: PCI Compliance Program COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6 2. Procedure Purpose and Effect: All Colorado State University departments that accept credit/debit

More information

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements

More information

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY PURPOSE The Payment Card Industry Data Security Standard was established by the credit card industry in response to an increase in identify theft

More information

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS) CSU, Chico Credit Card Handling Security Standard Effective Date: July 28, 2015 1.0 INTRODUCTION This standard provides guidance to ensure that credit card acceptance and ecommerce processes comply with

More information

POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS

POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS Publication Date 2009-08-11 Issued by: Financial Services Chief Information Officer Revision V 1.0 POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS Overview: There

More information

University Policy Accepting Credit Cards to Conduct University Business

University Policy Accepting Credit Cards to Conduct University Business BROWN UNIVERSITY University Policy Accepting Credit Cards to Conduct University Business Purpose Brown University requires all departments that are involved with credit card handling to do so in compliance

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101. DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101. DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101 DIVISION: Finance & Administration TITLE: Policy & Procedures for Credit Card Merchants DATE: October 24, 2011 Authorized by: K. Ann Mead, VP for Finance & Administration

More information

Information Technology

Information Technology Credit Card Handling Security Standards Overview Information Technology This document is intended to provide guidance to merchants (colleges, departments, organizations or individuals) regarding the processing

More information

Project Title slide Project: PCI. Are You At Risk?

Project Title slide Project: PCI. Are You At Risk? Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services

More information

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History

More information

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards Payment Card Industry Data Security Standards The payment card industry data security standard PCI DSS Visa and MasterCard have developed the Payment Card Industry Data Security Standard or PCI DSS as

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,

More information

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed

More information

Payment Card Industry Data Security Standards Compliance

Payment Card Industry Data Security Standards Compliance Payment Card Industry Data Security Standards Compliance Please turn off, or to vibrate, all cell-phones/electronics Expected course length: 1 Hour Questions are welcomed. Who Created It? & What Is It?

More information

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: Boston College Policy ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: PURPOSE OF POLICY: The purpose of this policy is to establish procedures for accepting payment cards at Boston College

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version

More information

Clark University's PCI Compliance Policy

Clark University's PCI Compliance Policy ï» Clark University's PCI Compliance Policy Who Should Read this Policy: All persons who have access to credit card information, including: Every employee that accesses handles or maintains credit card

More information

Frequently Asked Questions

Frequently Asked Questions PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply

More information

Dartmouth College Merchant Credit Card Policy for Processors

Dartmouth College Merchant Credit Card Policy for Processors Mission Statement Dartmouth College Merchant Credit Card Policy for Processors Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance with the

More information

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES This document describes Eastern Oklahoma State College s policy and procedures for the proper

More information

New York University University Policies

New York University University Policies New York University University Policies Title: Payment Card Industry Data Security Standard Policy Effective Date: April 11, 2012 Supersedes: N/A Issuing Authority: Executive Vice President for Finance

More information

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: Boston College Policy ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: PURPOSE OF POLICY: The purpose of this policy is to establish procedures for accepting payment cards at Boston College

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals Electronic Cardholder

More information

UTAH VALLEY UNIVERSITY Policies and Procedures

UTAH VALLEY UNIVERSITY Policies and Procedures Page 2 of 7 POLICY TITLE Section Subsection Responsible Office PCI DSS Compliance Facilities, Operations, and Information Technology Information Technology Office of the Vice President of Administration

More information

PCI Data Security and Classification Standards Summary

PCI Data Security and Classification Standards Summary PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard Introduction Purpose Audience Implications Sensitive Digital Data Management In an effort to protect credit card information from unauthorized access, disclosure

More information

COLLEGE POLICY ON CREDIT/DEBIT CARD PAYMENT PROCESSING

COLLEGE POLICY ON CREDIT/DEBIT CARD PAYMENT PROCESSING COLLEGE POLICY ON CREDIT/DEBIT CARD PAYMENT PROCESSING Supersedes: None Date: March 17, 2014 I. PURPOSE To establish business processes and procedures for the processing of credit/debit card payments as

More information

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number 95.51 PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number 95.51 PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9. 95.5 of 9. PURPOSE.. To establish a policy that outlines the requirements for compliance to the Payment Card Industry Data Security Standards (PCI-DSS). Compliance with this standard is a condition of

More information

CREDIT CARD PROCESSING & SECURITY POLICY

CREDIT CARD PROCESSING & SECURITY POLICY FINANCE AND TREASURY POLICIES AND PROCEDURES E071 CREDIT CARD PROCESSING & SECURITY POLICY PURPOSE The purpose of this policy is to establish guidelines for processing charges/credits on Credit Cards to

More information

PCI Compliance. Top 10 Questions & Answers

PCI Compliance. Top 10 Questions & Answers PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements

More information

SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures

SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures Page 1 SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures SOURCE: NDSU President NDSU VP for Finance and Administration NDSU VP for Information Technology It is the University s responsibility

More information

TERMINAL CONTROL MEASURES

TERMINAL CONTROL MEASURES UCR Cashiering & Payment Card Services TERMINAL CONTROL MEASURES Instructions: Upon completion, please sign and return to cashandmerchant@ucr.edu when requesting a stand-alone dial up terminal. The University

More information

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format. Policy Number: 339 Policy Title: Credit Card Processing Policy, Procedure, & Standards Review Date: 07-23-15 Approval Date: 07-27-15 POLICY: All individuals involved in handling credit and debit card transactions

More information

CAL POLY POMONA FOUNDATION. Policy for Accepting Payment (Credit) Card and Ecommerce Payments

CAL POLY POMONA FOUNDATION. Policy for Accepting Payment (Credit) Card and Ecommerce Payments CAL POLY POMONA FOUNDATION Policy for Accepting Payment (Credit) Card and Ecommerce Payments 1 PURPOSE The purpose of this policy is to establish business processes and procedures for accepting payment

More information

UTAH VALLEY UNIVERSITY Policies and Procedures

UTAH VALLEY UNIVERSITY Policies and Procedures Page 1 of 7 Proposed Policy Number and Title: 457 PCI DSS Compliance Existing Policy Number and Title: Not applicable Approval Process* X Regular Temporary Emergency Expedited X New New New Revision Revision

More information

University of Sunderland Business Assurance PCI Security Policy

University of Sunderland Business Assurance PCI Security Policy University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial

More information

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry

More information

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) What is PCI DSS? The 12 Requirements Becoming compliant with SaferPayments Understanding the jargon SaferPayments Be smart.

More information

PCI Compliance Overview

PCI Compliance Overview PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)

More information

Credit Card Processing and Security Policy

Credit Card Processing and Security Policy Credit Card Processing and Security Policy Policy Number: Reserved for future use Responsible Official: Vice President of Administration and Finance Responsible Office: Student Account Services Effective

More information

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to: What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International

More information

Credit Card Handling Security Standards

Credit Card Handling Security Standards Credit Card Handling Security Standards Overview This document is intended to provide guidance to merchants (colleges, departments, auxiliary organizations or individuals) regarding the processing of charges

More information

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents UNL PAYMENT CARD POLICY AND PROCEDURES Table of Contents Payment Card Merchant Security Standards Policy and Procedures... 2 Introduction... 4 Payment Card Industry Data Security Standard... 4 Definitions...

More information

Standards for Business Processes, Paper and Electronic Processing

Standards for Business Processes, Paper and Electronic Processing Payment Card Acceptance Information and Procedure Guide (for publication on the Treasury Webpages) A companion guide to University policy 6120, Payment Card Acceptance Standards for Business Processes,

More information

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Payment Card Industry (PCI) Policy Manual. Network and Computer Services Payment Card Industry (PCI) Policy Manual Network and Computer Services Forward This policy manual outlines acceptable use Black Hills State University (BHSU) or University herein, Information Technology

More information

CREDIT CARD PROCESSING POLICY AND PROCEDURES

CREDIT CARD PROCESSING POLICY AND PROCEDURES CREDIT CARD PROCESSING POLICY AND PROCEDURES Note: For purposes of this document, debit cards are treated the same as credit cards. Any reference to credit cards includes credit and debit card transactions.

More information

b. USNH requires that all campus organizations and departments collecting credit card receipts:

b. USNH requires that all campus organizations and departments collecting credit card receipts: USNH Payment Card Industry Data Security Standard (PCI DSS) Version 3 Administration and Department Policy Draft Revision 3/12/2013 1. Purpose. The purpose of this policy is to assist the University System

More information

Department PCI Self-Assessment Questionnaire Version 1.1

Department PCI Self-Assessment Questionnaire Version 1.1 Department PCI Self-Assessment Questionnaire Version 1.1 2009 Attestation of Compliance Instructions for Submission This Department PCI Self-Assessment Questionnaire has been developed as an assessment

More information

PCI Compliance Top 10 Questions and Answers

PCI Compliance Top 10 Questions and Answers Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs

More information

688 Sherbrooke Street West, Room 730 James Administration Building, Room 524

688 Sherbrooke Street West, Room 730 James Administration Building, Room 524 'McGill Sylvia Franke, LL.B., B.Sc. Albert Caponi, C.A. Chief Information Officer Assistant Vice-Principal (Financial Services) 688 Sherbrooke Street West, Room 730 James Administration Building, Room

More information

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name

More information

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other SAQ-Eligible Merchants and Service Providers Version 2.0 October 2010 Document

More information

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0 Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire C-VT Version 2.0 October 2010 Attestation of Compliance, SAQ C-VT Instructions for Submission

More information

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Credit Card Handling and Acceptance Policy Policy Number: C3875 Effective Date: November 8, 2006 Issuing Authority: Office of VP Business and

More information

University of Virginia Credit Card Requirements

University of Virginia Credit Card Requirements University of Virginia Credit Card Requirements The University of Virginia recognizes that e-commerce is critical for the efficient operation of the University, and in particular for collecting revenue.

More information

Liverpool Hope University. PCI DSS Policy

Liverpool Hope University. PCI DSS Policy Liverpool Hope University PCI DSS Policy Document Control Date Revision/Amendment Details & Reason Author 26 th March 2015 Updates G. Donelan 23 rd June 2015 Audit Committee 7 th July 2015 University Council

More information

PCI Compliance: Protection Against Data Breaches

PCI Compliance: Protection Against Data Breaches Protection Against Data Breaches Get Started Now: 877.611.6342 to learn more. www.megapath.com The Growing Impact of Data Breaches Since 2005, there have been 4,579 data breaches (disclosed through 2013)

More information

Josiah Wilkinson Internal Security Assessor. Nationwide

Josiah Wilkinson Internal Security Assessor. Nationwide Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges

More information

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP 2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate

More information

D. DFA: Mississippi Department of Finance and Administration.

D. DFA: Mississippi Department of Finance and Administration. MISSISSIPPI DEPARTMENT OF FINANCE AND ADMINISTRATION ADMINISTRATIVE RULE PAYMENTS BY CREDIT CARD, CHARGE CARD, DEBIT CARDS OR OTHER FORMS OF ELECTRONIC PAYMENT OF AMOUNTS OWED TO STATE AGENCIES The Department

More information

Credit Card (PCI) Security Incident Response Plan

Credit Card (PCI) Security Incident Response Plan Credit Card (PCI) Security Incident Response Plan To address credit cardholder security, the major credit card brands (Visa, MasterCard, American Express, Discover & JCB) jointly established the PCI Security

More information

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers For use with PCI DSS Version 3.1 Revision 1.1 July 2015 Section 1: Assessment

More information

PCI Data Security Standards

PCI Data Security Standards PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

Continuous compliance through good governance

Continuous compliance through good governance PCI DSS Compliance: A step into the payment ecosystem and Nets compliance program Continuous compliance through good governance Who are the PCI SSC? The Payment Card Industry Security Standard Council

More information

PCI Compliance: How to ensure customer cardholder data is handled with care

PCI Compliance: How to ensure customer cardholder data is handled with care PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4

More information