Vanderbilt University

Transcription

1 Vanderbilt University Payment Card Processing and PCI Compliance Policy and Procedures Manual PCI Compliance Office Information Technology Treasury VUMC Finance

2 Table of Contents Policy... 2 I. Purpose... 2 II. Overview... 2 III. Applicability... 2 IV. Definitions... 2 V. Policy Details... 3 a. Background Information... 3 b. Authority and Delegation... 3 c. Applicable Policies and Standards... 3 d. Core Responsibilities... 5 e. Consequences of Non-Compliance... 6 VI. Related Links... 6 VII. Contact Information... 6 Procedures Manual Detailed Responsibilities... 7 a. PCI Compliance Office:... 7 b. Vanderbilt University Information Technology:... 7 c. Treasury:... 9 d. VUMC Finance:... 9 e. Departmental Merchants Merchant Account Approval and Setup a. Merchant Account Application Merchant Account Fees Third-Party Vendors and Service Providers Operating on Vanderbilt s Campus Procedures for Handling Cardholder Data a. Acceptance b. Retention and Disposal c. Annual PCI DSS Self-Assessment d. Response to a Security Breach e. Alteration of Card Processing Environment APPENDIX A Payment Card Merchant Compliance Statement Last Revised: 7/28/2015 1

3 Policy I. Purpose The purpose of this policy is to minimize the chances of credit card fraud, hacking, and various other security vulnerabilities and threats, and to minimize the possibility of a breach of cardholder data by adhering to the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS was developed by the founding members of the Payment Card Industry Security Standards Council (PCI SSC). The PCI SSC is responsible for managing the security standards, while compliance is enforced by the card brands, namely American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. II. Overview Vanderbilt University has a fiduciary responsibility to patients, students, donors, customers and payment card processors to comply with the PCI DSS when handling payment card transactions. Non-compliance can result in serious consequences for Vanderbilt, including reputational damage, loss of customers, litigation, and substantial financial costs. The objectives of this policy are to: ensure compliance with the PCI DSS and other applicable policies and standards, establish the governance structure for payment card processing and compliance activities at Vanderbilt, define responsibilities for payment card services to various Vanderbilt constituents, and provide general guidelines regarding the handling of cardholder data. III. Applicability This policy applies to all personnel who store, process, transmit, or have access to cardholder data, including all faculty, staff, contractors, and students who are employed by Vanderbilt University. This policy also applies to any employee who contracts with a third party vendor to handle and/or process cardholder data on behalf of Vanderbilt University. All vendors, contractors, and business partners who store, process, transmit, or have access to cardholder data on behalf of Vanderbilt must contractually agree to be compliant with the current version of the PCI DSS at all times. IV. Definitions Acquiring bank is typically a financial institution that processes payment card transactions for merchants. It is defined by a payment brand as an acquirer. Cardholder data is any personally-identifiable data associated with a cardholder. Examples include, but are not limited to: account number, expiration date, card type, name, address, and card validation code the three or four-digit value printed on the front or back of a payment card referred to as CAV, CVC, CVV, or CSC depending on the payment card brand. The term cardholder data is interchangeable with payment card data throughout this policy. Merchant refers to a Vanderbilt department or operating area that has applied for and been approved to accept credit/debit card payments by either Treasury or VUMC Finance for goods and/or services. A merchant is assigned a specific merchant account (MID), which is used to process all credit/debit card transactions via a Vanderbilt-approved payment card processor. Payment card processor is the entity engaged by a merchant to handle payment card transactions on its behalf and can also be referred to as a payment gateway. Payment processors are not considered acquirers. Payment card processing is defined as using any application or device to process a credit/debit card transaction as payment for goods or services from a Vanderbilt merchant. Last Revised: 7/28/2015 2

4 Payment card refers to both credit and debit cards. The Vanderbilt/Commodore campus card issued by Vanderbilt Card Services is exempt from the PCI DSS. V. Policy Details a. Background Information Vanderbilt accepts payment cards as a convenience to its patients, students, donors and customers. To protect their payment card information and Vanderbilt s reputation and to reduce the financial risk or impact associated with a breach of payment card information; this policy addresses Vanderbilt s responsibilities to abide by the PCI DSS and other applicable policies and standards. In order for a department, or any other entity at Vanderbilt, to process payment card transactions, it must be established as a merchant. Departments may accept VISA, MasterCard, Discover, American Express, and debit cards with a VISA or MasterCard logo. All merchants at Vanderbilt are required to use the university s acquiring bank, presently Elavon, to process payment card transactions. Any exception must be approved in advance by the university treasurer and vice chancellor for finance. b. Authority and Delegation The vice chancellors for administration, finance and VUIT have overall authority to ensure PCI DSS compliance for Vanderbilt University. The vice chancellors have delegated authority to their respective designees to define responsibilities for payment card services and modify this policy as necessary, provided that all modifications are consistent with the current PCI DSS in effect. c. Applicable Policies and Standards In addition to the directives and procedures set forth in this policy, any employee, contractor, or agent who, in the course of doing business on behalf of Vanderbilt, is involved in the handling of payment card processing must adhere to the following applicable policies and standards: Vanderbilt Computing Privileges and Responsibilities: Acceptable Use Policy Excerpt from Section III.C.1 and 2: Acceptable Use Policy Fiduciary Responsibilities 1. Vanderbilt Community Members Members of the Vanderbilt community possess a great personal responsibility to themselves and to other community members to utilize technology while maintaining their fiduciary responsibilities. These responsibilities include, but are not limited to: a. Being responsible for the security of one s personal information b. Protecting personal and private information of others c. Taking care to minimize risks of various undesirable events, such as disclosure of sensitive personal information, identify theft, and even threats to personal safety when using Vanderbilt information technology assets Last Revised: 7/28/2015 3

5 2. Information Technology Professionals Vanderbilt Information Technology (IT) professionals are granted elevated or privileged access to Vanderbilt University s information and information systems. This privileged access places the Vanderbilt IT professional in a higher level of trust. To maintain this level of trust, Vanderbilt IT professionals must develop, maintain, and continually enhance their skills and abilities on behalf of those they serve. IT professionals employed by Vanderbilt University must strive to be trusted and highly skilled custodians through: a. Preserving confidentiality b. Protecting data and information integrity c. Establishing and maintaining availability of information systems d. Educating those around them about IT and social risks related to information systems e. Enhancing and maintaining technical skills f. Demonstrating an understanding of the areas served Human Resources Policy HR-025: Electronic Communications Policy VUMC Information Privacy and Security Policies Information Privacy and Security - Policies IM Confidentiality of Protected Patient Information M Breach Notification: Unauthorized Access, Use, or Disclosure of Individually Identifiable Patient or Other Personal Information IM Access to Confidential Information IM Faxing Confidential Information IM Privacy and Information Security Training IM Disposal of Confidential Information IM Access to Protected Patient Information by Job Role IM Sanctions for Privacy and Information Security Violations IM Authorization and Access to Electronic Systems and Applications IM Electronic Messaging of Individually Identifiable Patient and Other Sensitive Information Payment Card Industry Data Security Standard The PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store, or transmit cardholder data. It consists of common sense steps that mirror security best practices. Below is a high-level overview of the PCI DSS. The complete standard is accessible at the PCI Security Council website. Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data Requirement 3: Protect stored cardholder data. Requirement 4: Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software or programs. Requirement 6: Develop and maintain secure systems and applications. Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need to know. Requirement 8: Assign a unique ID to each person with computer access. Last Revised: 7/28/2015 4

6 Requirement 9: Restrict physical access to cardholder data. Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for all personnel. d. Core Responsibilities The vice chancellors for administration, finance and VUIT have overall authority to ensure PCI DSS compliance for Vanderbilt University. Core responsibilities for each designee are listed below (a more detailed list of responsibilities is listed in the procedures manual section of this document): The PCI Compliance Steering Committee is responsible for creating effective lines of accountability, responsibility and authority for compliance with the PCI DSS and Payment Application Data Security Standards (PA-DSS) within their area(s) of responsibility; approving policies, procedures, and guidelines related to PCI DSS compliance as presented by the Operational Committee; receiving and providing input into PCI solution presentations by the Operational Committee; assisting the PCI Compliance Office in bringing non-responsive, noncompliant merchant departments into compliance prior to their payment card privilege being terminated; approving/denying merchant requests to process payment cards using non-compliant and/or high-risk techniques; and providing input in the Vanderbilt Incident Response Plan in the event of a data breach. The PCI Operations Team is responsible for recommending policies, procedures, and guidelines related to PCI DSS compliance to the Steering Committee for informational purposes and/or approval; building and maintaining secure networks, payment applications, systems and related infrastructure; assisting new merchants who wish to begin accepting credit card payments to be PCI compliant before accepting payment card transactions; assisting in facilitating and scheduling ongoing network scanning and penetration testing for applicable merchants; implementing new mandates issued by the PCI Security Standards Council and conforming to the evolving PCI DSS; assisting merchants in reducing their PCI scope to minimize the chance of a data breach; providing periodic updates at Steering Committee meetings; and maintaining compliance with the PCI DSS at all times. The PCI Compliance Office (PCIO) is responsible for the oversight and administration of the PCI compliance process at Vanderbilt. This process includes initiating and overseeing an annual PCI DSS self-assessment for each merchant, making appropriate revisions to this policy as needed and coordinating any remediation activities as required by the PCI DSS or other applicable policies and standards. Other responsibilities include providing annual security awareness & training programs, approving requests for new merchant accounts, approving Vanderbilt-hosted and thirdparty hosted payment processing applications, and reviewing third-party credit card processing vendors and service providers for compliance. Information Technology (VUIT) is responsible for maintaining and disseminating security policies and procedures that address PCI DSS requirements, testing Vanderbilt s infrastructure and network environment, and assisting the PCIO in completing the technical sections of the annual PCI DSS self-assessment questionnaire (SAQ). In addition, VUIT is responsible for configuring and managing applications and infrastructure that store, process or transmits cardholder data in compliance with PCI DSS and Vanderbilt security requirements, limiting access to IT resources and cardholder data and for maintaining Vanderbilt s Institutional Information Technology PCI Procedures document. The Office of the Treasurer is responsible for the agreement with an acquiring bank, ensuring new Last Revised: 7/28/2015 5

7 merchant account (MID) applications are requested by the appropriate level employee of a department (See Merchant Account Responsible Person, Procedures Manual Section 1. E.), and initial setup and ongoing administration of all university merchant accounts. Key responsibilities include approval of merchant applications once the PCIO has approved the requestor s payment card transaction process and procurement of credit card terminals and other equipment. The VUMC divisional controller is responsible for initial setup and ongoing administration of all VUMC merchant accounts. Key responsibilities include approval of merchant applications once the PCIO has approved the payment card transaction process and procurement of credit card terminals and other equipment. Departmental Merchants are responsible for ensuring that all business process documents for accepting, processing, retaining, and disposing of cardholder data are updated and comply with the PCI DSS and all other applicable policies and standards. Departmental merchants are responsible for performing an annual PCI DSS self-assessment questionnaire (SAQ) in partnership with the PCI Compliance Office. Departmental employees who are involved in the storing, processing, transmitting, or have access to cardholder data are responsible for completing PCI DSS training upon hire and at least annually. All employees will acknowledge reading and understanding these security policies and procedures, and will comply with these policies. e. Consequences of Non-Compliance Non-compliance can result in serious consequences for Vanderbilt, including reputational damage, loss of customers, litigation, and substantial financial costs. Failure to comply with this policy and/or applicable policies, standards, and procedures carries severe consequences which may include: loss of the ability to process payment card transactions, departmental repayment of financial costs imposed on Vanderbilt, and employee disciplinary action, which can include termination of employment. The vice chancellor for administration and the treasurer have the authority to terminate merchant accounts for non-compliance while the PCIO can suspend merchants for the same reason. VI. Related Links Vanderbilt University: PCI Policy and Procedures Manual (Will be posted once this document is approved) Payment Card Industry Data Security Standard (PCI DSS): American Express: Discover Financial Services: MasterCard Worldwide: Visa Inc.: VII. Contact Information For questions or comments regarding this policy, contact: PCI Compliance Office PMB pcicompliance@vanderbilt.edu Last Revised: 7/28/2015 6

8 Procedures Manual 1. Detailed Responsibilities While section V.d above lists core responsibilities for each Vanderbilt constituent, this section provides a more detailed list of responsibilities for the PCI Compliance Office, Information Technology, Treasury, VUMC Finance and departmental merchants. a. Responsibilities of the PCI Compliance Office: Comply with all current PCI DSS requirements. Establish, document, and distribute payment card processing and compliance policies and procedures. Assess merchant payment applications for PCI compliance prior to merchant accounts being processed by Treasury and VUMC Finance. Provide a PCI security awareness & training program to ensure that all employees who process or have access to the cardholder data environment are knowledgeable of Vanderbilt s policies and procedures on the acceptance, processing, retention, disposal and security of cardholder data. Obtain and retain on file a signed Payment Card Merchant Compliance Statement from all merchant account responsible employees. This statement includes acknowledgement by the employee that he/or she has read and understood this Payment Card Processing and Compliance Policy and Procedures Manual (Appendix A). Incorporate this type of document in the training program. Perform an annual assessment of Vanderbilt s card processing activities across the enterprise, in partnership with VUIT and, frequently, an independent compliance partner that is certified by the cardholder industry. Assist merchants with the completion and submission of all PCI DSS self-assessment questionnaires. Work with non-compliant merchants to implement appropriate remediation activities. Provide regular status updates to the director for Business Services. Escalate to the PCI Steering Committee merchants not meeting PCI requirements Regularly monitor the payment card data environment and update policies and procedures to address changes, such as technological improvements. Verify that VUIT s institutional Information Technology Procedures document includes an annual risk assessment process that identifies threats, vulnerabilities, and results in a formal risk assessment. This risk assessment will be reviewed, at a minimum, annually. Maintain a repository of merchant information, assessment, and related documents including completed self-assessment questionnaires, remediation plans, data flow diagrams, and a list of current merchants and key business and technical contacts. Maintain a registry of all card processing devices (e.g., swipe terminals, point-of-sale devices, vending systems) and all computer systems (e.g., workstations, kiosks, web servers, database servers) involved in the storage, processing, and/or transmission of cardholder data. Maintain a list of authorized third-party credit card processing vendors and service providers with key business and technical contacts. For all service providers, a written agreement must be on file. This agreement must include: 1) acknowledgement by the service provider that it is responsible for the security of cardholder data processed through its system, and 2) obtain documentation annually indicating that the service provider is PCI DSS compliant, 3) review contracts for appropriate PCI DSS language, 4) ensure contracts are retained in the applicable contract management systems (e.g., VandyConTracs). Maintain and coordinate a unified PCI DSS change management process for all merchants that includes a cross functional review of all new payment card processing activities or significant changes to these activities including (but not limited to) any changes to cardholder data flows, vendors used for payment card processing, system or application upgrades/migrations, or any change that results or could result in a change in PCI DSS compliance status (from non-compliant to compliant or vice versa) b. Responsibilities of Vanderbilt University Information Technology: Comply with all current PCI DSS requirements. Maintain the VUIT institutional Information Technology Procedures document, including an annual risk assessment process that identifies threats and vulnerabilities, and results in a formal risk assessment. This risk assessment will be reviewed, at a minimum, annually. Last Revised: 7/28/2015 7

9 Disseminate VUIT security policies and procedures that address PCI DSS requirements. Assist merchants and the PCIO in completing the technical sections of their annual selfassessment questionnaires. Provide technical oversight to ensure compliance of new and existing applications and their related hardware through a coordinated process with the PCI Compliance Office, the merchant and, if necessary, a PCI Qualified Security Assessor; Review logs, at least daily, for those servers that perform security functions like intrusiondetection system (IDS) and authentication, authorization, and accounting protocol servers. Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. Test, at least annually, the security incident response plan. Test, at least quarterly, for the presence of wireless access points by using a wireless analyzer or deploying a wireless IDS/IPS to identify all wireless devices in use. For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes. Run internal network vulnerability scans on IP addresses used in the processing of payment card transactions, at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, or product upgrades). Coordinate the scheduling of external scans and penetration testing on public-facing IP addresses used in the processing of payment card transactions at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub network added to the environment, or a web server added to the environment). Have the authority to make final interpretations of technical PCI DSS requirements for Vanderbilt. In coordination with the PCIO, work with Vanderbilt s Qualified Security Assessor(s) and Authorized Scanning Vendor(s) during engagements. Develop and implement decommissioning strategies to properly dispose of computer systems and devices that process payment card data. Manage all computer systems and other IT resources in a manner that complies with PCI DSS and Vanderbilt security requirements. Limit access to computing resources (e.g., computers, mobile devices) only to those individuals whose jobs require such access. Assist the merchant and PCI Compliance Office in completing the technical sections of the annual self-assessment questionnaire. Remove and destroy electronically stored cardholder data in coordination with merchants and the PCIO. Review logs, at least daily, for all system components. Log reviews must include those servers that perform security functions like intrusion-detection system and authentication, authorization, and accounting protocol servers. Retain audit trail history of payment card transactions for at least one year, with a minimum of three months immediately available for analysis (e.g., online, archived, or restorable from backup). Deploy anti-virus software on all systems and ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software. Assign all employees with access to a payment application a unique network ID before allowing them to access system components or cardholder data. User names and passwords may not be shared. Passwords must be changed every 90 days. Assign all IT employees and third-party technical support personnel who have access to payment applications, related databases and networks that store, transmit or process cardholder data with unique sign-on IDs. User names and passwords may not be shared. Passwords must be changed every 90 days. Store media back-ups in a secure location and review the location s security at least annually. Classify the media so it can be identified as confidential. (Note: As a good business practice, backups should not be retained any longer than required.) For encryption of cardholder data, verify that key management procedures are implemented, at least annually, to require periodic cryptographic key changes. Last Revised: 7/28/2015 8

10 Disable and remove inactive user application and network accounts based on HR and merchant notifications at least every 90 days. Create and maintain the PCI VLAN network, a secure network dedicated for systems that process and/or transmit cardholder data. Migrate all systems that process and/or transmit cardholder data to the PCI VLAN network, a dedicated and secure network created and maintained by VUIT. Provide resources to the merchant and the PCIO which can describe current technical processes and configurations to a sufficient degree to validate the compliance state of devices, systems, applications, infrastructure and processes utilized in the storage, processing or transmission of cardholder data. Establish firewall and router configuration standards to ensure that all systems are protected from unauthorized access. Configuration standards are to be reviewed in accordance with Vanderbilt s security policies. Limit access to network resources (e.g., network jacks, wireless access points, gateways) only to those individuals whose jobs require such access. VUIT employees who are involved in the storing, processing, transmitting, or have access to the cardholder data environment must complete PCI training upon hire and at least annually. c. Responsibilities of Treasury: Comply with all current PCI DSS requirements. Select an acquiring bank and manage the associated agreement. Assist Vanderbilt University departments with the submission of merchant account applications. Review and approve (where appropriate) merchant applications once the PCIO has approved the requestor s payment card transaction process and procurement of credit card terminals and other equipment Negotiate fee structures and agreements with acquiring banks and third-party credit card processing vendors. Administer merchant accounts, including additions, deletions and modifications. Place orders for card terminals and other equipment on behalf of merchants. d. Responsibilities of VUMC Finance: Comply with all relevant PCI DSS requirements. Assist Vanderbilt University Medical Center departments with the submission of merchant account applications. Review and approve/deny merchant account applications. Ensure the PCI Compliance Office has reviewed and approved all merchant payment applications prior to approving new or modified merchant account requests. Maintain a list of authorized Vanderbilt University Medical Center merchants and key operational and technical contact information for each merchant. Place orders for card terminals and other equipment on behalf of merchants. e. Responsibilities of Departmental Merchants Within each department, there are specific responsibilities assigned to the departmental business manager or fiscal officer, who is ultimately responsible for the merchant account, and the employees handling cardholder data. These responsibilities are as follows: Merchant Account Responsible Person will: Comply with all relevant PCI DSS requirements. Must be a departmental business manager, fiscal officer or equivalent position. Ensure that all business processes for accepting, processing, retaining, and disposing of cardholder data are updated, documented and comply with the PCI DSS and this policy. Read the VU Payment Card Issuance and Compliance Policy and Procedures Manual and sign an annual Payment Card Merchant Compliance Statement. Identify positions that require access to payment card data and system components and limit access to only those employees whose job requires such access. Request VUIT deactivate/remove user s application and network access when there is no longer a need to access cardholder data environments. Last Revised: 7/28/2015 9

11 Provide a proper control environment, including segregation of duties, for processing payment card transactions. Procure card terminals and other equipment through the Office of the Treasurer for university departments and VUMC Finance for VUMC departments. Maintain a departmental listing of all applicable card processing devices and computer systems. Limit access to computing resources (e.g., computers, mobile devices) only to those individuals whose jobs require such access. Dispose all payment card processing equipment at account termination in conformity with VUIT standards. Contact the PCIO for more information. Ensure that employees have reviewed and understand their responsibilities outlined in this policy and procedures manual and have been properly trained on departmental business processes for handling cardholder data. Notify the PCI Compliance Office of all employee changes in positions that require the handling of and/or access to cardholder data. Perform an annual self-assessment in partnership with the PCI Compliance Office. Obtain approval from the PCI Compliance Office before requesting a Merchant Account in order to establish the department s and payment application s ability to comply with PCI standards. Inform the PCI Compliance Office in the event of changes to the merchant environment or method of payment card acceptance. Such changes include, but are not limited to: o departmental website, o products or services for sale, o intended customer base, o anticipated transaction volume, o outside advertising, o application software, and/or o departmental contacts responsible for the e-commerce account. Consult with the PCI Compliance Office prior to signing contracts with payment card service providers to ensure PCI contract language has been included in any new or renewed master agreement. Responsibilities of Departmental Employees: Comply with all relevant PCI DSS requirements. Departmental employees who are involved in the storing, processing, transmitting, or have access to cardholder data are responsible for ensuring successful completion PCI DSS training upon hire and at least annually. Notify the merchant account responsible person immediately in the event of suspected fraud or data breach. 2. Merchant Account Approval and Setup Departments may accept and process payment cards via in-person, mail order, telephone order, and/or via an ecommerce website. In order to do so, a department must first have a merchant account. University departments must request this account through the Treasurer Office while VUMC departments must request this account through the VUMC Finance Office. Departments cannot independently contract with third-party credit card processing vendors and services providers; all such contracts are handled by the Treasurer s Office. a. Merchant Account Application For University Departments: The first step for a university department to accept credit card payments is to complete a Request to Process Credit Cards document obtained from the PCIO website and submitted to the PCI Compliance Office Program Coordinator. This document must be signed by the department head and (What did we decide for this term?) before submission to the PCIO. Once the PCIO reviews a request, a meeting will be scheduled to discuss the department s needs and Last Revised: 7/28/

12 how best to meet those needs. It is strongly advised that software not be purchased until there is the approval of the PCIO because the payment application may not meet PCI compliance requirements. In addition, PCI contractual information must be included in all master agreements involving software purchases where payment cards can be processed. This contractual verbiage can be obtained from either Procurement Services or the PCIO. After the PCIO has approved the request, it will be passed to Treasury. The Office of the Treasurer will provide a merchant application and open a new merchant account. Once the merchant account (MID) has been assigned the PCIO will provide information to the merchant to complete the account s initial annual compliance. For VUMC Departments: The first step for a VUMC department to accept credit card payments is to complete a Request to Process Credit Cards document obtained from the PCIO website and submitted to the PCI Compliance Office Program Coordinator. This document must be signed by the department head and (same as above) before submission to the PCIO. Once the PCIO reviews a request, a meeting will be scheduled to discuss the department s needs and how best to meet those needs. It is strongly advised that software not be purchased until there is the approval of the PCIO because the payment application may not meet PCI compliance requirements. In addition, PCI contractual information must be included in all master agreements involving software purchases where payment cards can be processed. This contractual verbiage can be obtained from either Procurement Services or the PCIO. After the PCIO has approved the request, it will be passed to VUMC Finance. VUMC Finance will provide a merchant application and open a new merchant account. Once the merchant account (MID) has been assigned the PCIO will provide information to the merchant to complete the account s initial annual compliance. 3. Merchant Account Fees For university departments, merchants are responsible for all costs associated with payment card processing. These costs include, but are not limited to, merchant account setup & administrative fees, equipment purchases, recurring monthly costs, and fees based on a percentage of every transaction from each credit card brand. For Medical Center departments, merchants will follow the VUMC policy. Typically, merchant fees for patient-related collections are charged at an overhead cost while non-patient merchant fees are charged to the department. 4. Third-Party Vendors and Service Providers Operating on Vanderbilt s Campus Third-party vendors and service providers contracted by Vanderbilt must process payment cards and handle cardholder data according to the PCI DSS. Vanderbilt reserves the right at any time to request either proof of PCI DSS compliance or a certification (from a recognized third-party IT audit and compliance firm) verifying that the vendor/service provider uses secure standard financial industry practices in its financial transactions. 5. Procedures for Handling Cardholder Data Payment cards may be accepted by departments for various purposes including patient payments, course tuitions and fees, and the sale of goods and services. The vice chancellor for finance or treasurer may revoke a department s ability to accept payment cards if the department violates any part of this policy and/or places Vanderbilt at risk by not being PCI compliant. The PCIO may suspend a merchant s ability to process payment cards for the same reasons listed above. Employees whose duties require handling of cardholder data should adhere to the following guidelines for the acceptance, processing, retention, and disposal of this information. Modifications to these guidelines may be appropriate depending on the occurrence and volume of transactions that a merchant processes. Last Revised: 7/28/

13 a. Acceptance Verify signature of cardholder at the time of the transaction for card-present transactions. Obtain the signature of the cardholder on the receipt and provide a duplicate copy to the cardholder. Verify payment card s expiration date is valid. Verify that only the last four digits of the payment card number are printed on the receipt. If accepting cardholder data via a fax, locate fax machine in a secured, non-public area with limited access. Payment card charges should not exceed transaction amount of purchase. Refunds must be made to the payment card used during the transaction. No transactions should be refunded in cash or to a different payment card. Do not accept cardholder data via end-user messaging technologies (e.g., , voic , instant messaging, and text messaging). b. Retention and Disposal Cardholder data cannot be retained/stored electronically or in paper form. c. Annual PCI DSS Self-Assessment The PCIO will contact each merchant to schedule their annual self-assessment. Each merchant must complete an annual self-assessment questionnaire to attest compliance with this policy, PCI DSS, and other applicable standards and policies. Merchants found not in compliance will work with the PCIO to implement appropriate remediation activities. d. Response to a Security Breach In the event of a breach, including the suspicion that payment card data has been exposed, lost, stolen, or misused, the merchant must immediately contact the PCI Office at or pcicompliance@vanderbilt.edu. e. Alteration of Card Processing Environment Any alteration of the card processing environment must receive prior written approval by the PCI Compliance Office. Changes include but are not limited to: the use of existing merchant accounts for a purpose different from the one specified in the merchant application/renewal, the alteration of business processes that are not specifically addressed by this policy, the addition or alteration of payment card processing devices systems, technologies, or channels, and the addition or alteration of relationships with third-party payment card service providers. Last Revised: 7/28/

14 APPENDIX A Payment Card Merchant Compliance Statement As a Vanderbilt employee with responsibilities for handling payment cards and cardholder data, I recognize that I have access to sensitive and confidential information. I will strive to protect Vanderbilt and its customers at all times when making decisions concerning payment cards and cardholder data, and I agree with the following statements: I have read, understand, and agree to abide by Vanderbilt s Payment Card Processing and Compliance Policy and Procedures Manual. I will utilize cardholder data for Vanderbilt business purposes only. I will not use or distribute cardholder data for personal purposes. I understand that such actions are illegal and grounds for prosecution. I understand that in cases where I suspect a breach of security, including the suspicion that cardholder data has been exposed, lost, stolen, or misused, I must immediately contact the PCI Compliance Office. If I am the MID responsible person, I understand that I must maintain documented and effective business processes for accepting, processing, retaining, and disposing of cardholder data. I understand that failure to comply with this policy and/or applicable policies, standards, and procedures carries severe consequences, which may include loss of the ability to process payment card transactions and disciplinary action, which can include termination of employment. Employee Name: Print Name Signature Date VUNet ID Department MID Name of Merchant Account (DBA) Department Head: Print Name Signature Date Last Revised: 7/28/