UW Platteville Credit Card Handling Policy

Transcription

1 UW Platteville Credit Card Handling Policy Issued: December 2011 Revision History: November 7, 2013; July 11, 2014; November 1, 2014; August 24, 2015 Overview: In order for UW Platteville to accept credit card payments, it is bound by contracts with the corresponding payment card companies. Payment card companies and governmental agencies have collaborated to develop a comprehensive, thorough and rigorous data security standards including: Payment Card Industry Data Security Standards (PCI DSS); Fair and Accurate Credit Transactions Act (FACTA); Payment Application Data Security Standards (PA DSS). In order to continue to accept credit card payments, UW Platteville must prove and maintain compliance with these various standards. An event such as a security breach of credit card data attributable to UW Platteville jeopardizes the institution s ability to continue to conduct transactions, potentially costing the institution a great deal of revenue. The contract also allows fines to be levied by the card companies in order to continue to do business with them should a breach occur. Statement of Procedure: It is the intent of UW Platteville to reduce institutional risk associated with the administration of merchant cards through the establishment and adoption of standard payment systems and clear assignment of responsibility. This procedure s intent is to provide campus departments and recognized student organizations with compliant, reliable and supportable methods for securely and conveniently accepting credit card payments. This reduces risk to individuals who entrust credit card information to UW Platteville and UW Platteville affiliated entities for transactions. Definitions: Merchant: Any department or recognized student organization that accepts credit cards or utilizes third party software credit card processing on behalf of the university. 1

2 Operating Principles: The following operating principles and responsibilities must be used by departments, recognized student organizations and university employees when accepting credit card information in order to process payments for services, purchases, registration, etc. 1. All merchant sites, including hosted sites, must be authorized by the UW Platteville Controller s Office. See Application and Service Level Agreement (SLA). SLAs must be renewed annually. 2. All merchant card services offered by the University must be delivered using software, systems, and procedures that are compliant with applicable standards. 3. UW Platteville will pre authorize e Payment services for use by UW Platteville units. (Click to see Pre Authorized e_payment services) 4. There should be a certain level of uniformity/branding in the look and feel of UW Platteville storefronts as indicated in the campus web policy except where the vendor dictates. This uniformity not only gives institutional identity to UW Platteville but can be used to avoid phishing. 5. Units must coordinate the delivery of goods and services with the timing of charging e Payments to customers as defined in the credit card operating regulations. 6. The unit selling the goods or services must develop processes for handling credit card and bank account information provided by customers on paper in a safe way. Paper documents showing this information must be cross shredded. Documents should be retained only for the period specified in the appropriate record retention schedule. Retention Schedule 7. UW Platteville units must reconcile e Payments with goods and services provided and with funds deposited by the e Payment processor into University bank accounts and into the Shared Financial System ledger. These reconciliations should be performed using the appropriate separation of duties. Credit Card Merchant (Department/Recognized Student Organization) Responsibilities (agreed to in SLA): Requirements associated with this policy apply to departments, recognized student organizations and university employees that accept credit card information. Credit Card Merchant Numbers a) All credit card merchant sites, including hosted sites, must be established through Controller's Office. Departments and recognized student organizations are prohibited from obtaining merchant ID numbers directly from the credit card companies or setting up hosted sites without 2

3 approval from the Controller s Office. Departments and recognized student organizations must notify the Controller s office of software upgrades in a timely manner prior to the upgrade. Personnel and equipment changes related to credit card processing must be communicated within 5 business days of the change. b) Each campus merchant site must identify a current contact person for the Controller s Office. Credit Card Transaction Channels c) Credit card information can only be accepted through a UW Platteville authorized web application, mail, in person or by telephone (secure line, not Voice over Internet Protocol (VOIP) or mobile). d) Credit card information cannot be accepted via and must never be e mailed from the department or recognized student organization. Credit card information must not be photocopied. e) Any processing of credit card transactions must be done on a PCI compliant workstation. f) Without approval from the Controller s Office, departments and recognized student organizations are not permitted to locally or remotely transmit, process, or store credit card information on UW Platteville or personal computer systems, mobile devices, fax machines, the Internet, e mail, e messaging or any removable electronic storage (USB memory stick, hard drive, zip disk, etc.); not even if encrypted. Credit Card Information Storage g) Without approval from the Controller s Office, credit card merchants cannot store credit card information on a local computer or server. h) Under no circumstances should the Card Identification Number (CID) be stored electronically. If collected on paper, the CID must be destroyed securely immediately after processing. The CID number is the three digit security code on the back of the credit card. It is also referred to as the CVC2 and CVV2. i) While waiting to be processed, paper records of the transaction, with credit card information, must be stored in a locked room or file cabinet. Access to the storage area(s) must be limited to authorized personnel only. j) Paper records containing credit card data must be securely destroyed at the earliest possible date while complying with relevant data retention schedules. 3

4 Credit Card Receipts k) Credit card receipts that go to the customer may only show the last four digits of the credit card number. Also, the credit card expiration date should not appear on the receipt. l) Retain the original receipts, which show last four digits of the credit card number, for all transactions and any original, signed documentation in a secure location for a minimum of 12 months as required by the University of Wisconsin System Fiscal and Accounting General Records Schedule. Fees, Reconciliations, Refunds & Disputes m) Departments and recognized student organizations are responsible for all credit card processing fees. Departments and recognized student organizations may choose to charge a convenience fee to cover the actual amount incurred if allowed by credit card brand and method of acceptance. n) Departments and recognized student organizations are responsible for the cost of equipment required to process transactions within the university credit card environment. The cost of credit card compliance will be allocated out to the respective departments and recognized student organizations. Departments and recognized student organizations will return the equipment to the appropriate office (Controller s office for readers, ITS for computer equipment) when such equipment is no longer needed for proper disposal. o) Reconciliation of credit card merchant activity must be performed at least monthly. Reconciliations will be subject to audit. p) There must be adequate separation of duty between any person authorized to issue a refund and the individual reconciling the account. q) Refunds must be credited to the same credit card account from which the original purchase was made. r) Each department and recognized student organization is responsible for following up and resolving disputed transactions, in conjunction with the Controller s Office. s) Each department and recognized student organizations is responsible for ensuring the timely remittance of credit card receipts to UW Platteville by hosted sites. Annual Self Assessment & Network Scan t) Each department and recognized student organization processing merchant cards must complete an annual risk/security questionnaire/self assessment subject to audit. As part of this self assessment, the Merchant must verify that all third party payment application software, service providers and gateways that store, process or transmit cardholder data as part of an 4

5 authorization or settlement are compliant with applicable payment card requirements. This verification can be performed by: Application Software Determining if the applications software is listed on the Validated Payment Applications found on the PCI website with a non expired validation date [ Service Providers/gateways Determining if the service provider/gateway is listed on the Visa Global Registry of Service Providers PCI DSS Validated Entities with a non expired date. [ list of pcidss compliant service providers.pdf] In addition to the annual questionnaire, the merchant must complete a SAQ any time a credit card related system or process changes. Once completed, the questionnaire must be sent to the Controller s Office for tracking and distribution. The Controller s Office will then send the questionnaire to Internal Audit and the UW Platteville Information Security Officer for follow up. u) For all of the third party vendors, the Merchant must request written acknowledgement that the service providers are responsible for the security of cardholder data that the service providers possesses. v) Credit card numbers should not be stored electronically. Departments and recognized student organizations should work with UW Platteville Information Security to ensure that no credit card numbers are stored electronically. w) Departments and recognized student organizations must work to resolve exceptions identified on the annual risk/security questionnaire/self assessment. Departments and recognized student organizations should work with UW Platteville Information Security to address any exceptions pertaining to technology or electronic storage. Consult with Internal Audit as needed. Employees Handling Credit Card Information x) All employees handling cardholder data and their supervisors or others identified by the Controller s Office, should sign a Confidentiality Acknowledgement form. The form should be the campus wide form used by all departments. y) All employees handling cardholder data must receive annual training. The employee must sign the training checklist and route to the supervisor for signature. The supervisors of each area will submit a report to the Controller s office documenting those that have completed the training. z) All employees processing credit cards must use a PCI compliant workstation. 5

6 aa) Employees that are only generating reports related to credit card activity may use a campus computer to generate those reports as long as the full 16 digit credit card number is not displayed. Imprint Machines bb) Imprint machines are not allowed. Exceptions To These Responsibilities cc) While the Controller s Office does not have the authority to override the PCI Requirements, any exceptions you have to these responsibilities should be discussed with the Controller. The Controller s Office will consider exceptions to any of the above stated responsibilities on a case by case basis in consultation with UW Platteville Information Security Officer and Internal Audit. In considering exceptions, the Controller s Office will examine compliance with applicable standards and the existence and reliability of compensating controls. Departments and recognized student organizations are responsible for obtaining approval from the Controller s Office. Consequences of Not Complying dd) If a merchant does not comply with the above responsibilities, it may be determined that the merchant will no longer be allowed to accept credit cards and may result in significant financial penalties to the department or recognized student organization and the campus as a whole. Any additional monetary costs associated with remediation, assessment, forensic analysis or legal fees will be borne by the department, recognized student organization or college/division. The actions of one merchant can jeopardize all the campus merchants ability to accept credit cards. Controller s Office Responsibilities: a) Develop standards for the campus with respect to accepting credit cards. b) Apply for and secure all campus merchant ID numbers. c) Establish and maintain a process for campus departments and recognized student organizations to accept credit cards. d) Approve applications from campus departments and recognized student organizations before credit cards can be accepted. e) Initiate and approve Service Level Agreements with each department and recognized student organizations before credit cards can be accepted. Service Level Agreements will address the appropriate separation of duties within each department or recognized student organization. 6

7 f) Distribute monthly statements from credit card companies to departments and recognized student organizations for reconciliation. g) Ensure credit card processing fees are properly charged in accord with state, UWS and UW Platteville contracts. h) Ensure credit card processing fees are properly charged back to the appropriate department or recognized student organization. i) Initiate annual renewals of all Service Level Agreements between the Controller s Office and the departments and recognized student organizations. j) Provide appropriate training to the campus on merchant card transactions. k) Ensure that each campus department and recognized student organization that accepts credit cards completes the risk/security questionnaire/self assessment required by applicable standards on an annual basis. During this annual process, the Controller will be responsible for verifying that all Merchants provide appropriate compliance documentation of all third party payment application software, service providers and gateways that store, process or transmit cardholder data as part of an authorization or settlement. l) Maintain a central file of all documentation indicating third party vendor and third party payment application software compliance with applicable requirements. m) Provide an application form and approve departments and recognized student organizations to request merchant ID n) Serve as chair of the PCI core team. UW Platteville Information Technology Responsibilities: a) Work with the Controller s Office to develop standards for the campus with respect to accepting credit cards. b) When requested by the Controller s Office, Information Security Officer will approve/deny applications for departments and recognized student organizations that accept credit cards. c) Work to resolve exceptions pertaining to technology or electronic storage noted on the annual risk/security questionnaire/self assessment and quarterly network scans. Consult with Internal Audit as needed. d) Perform monthly internal network scans to ensure UW Platteville is PCI compliant. Coordinate this effort with Internal Audit. e) Maintain inventory of all credit card software and hardware components in consultation with Financial Services through the annual service level agreement process. 7

8 f) Notify Controller s office when departments and recognized student organizations initiate a request for software or hardware changes that relate to credit card processing. g) Notify and update Controller on issue tickets for any credit card processing related tickets. h) Members of the PCI core team. UW System Internal Audit Responsibilities: a) Member of the PCI core team. b) Internal Audit will monitor the overall effort by incorporating credit card risk into the audit plan. c) Serve as a resource for Controller s office. 8