University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments

Transcription

1 University f Texas at Dallas Plicy fr Accepting Credit Card and Electrnic Payments Cntents: Purpse Applicability Plicy Statement Respnsibilities f a Merchant Department Prcess t Becme a Merchant Department Exceptin t Using Marketplace Respnding t a Security Breach Onging Plicy Management Purpse The University has adpted the fllwing plicy and supprting prcedures fr all types f credit card activity transacted in-persn, ver the phne, via fax, mail r the Internet. The purpse f this plicy is t prtect the interests f the University and its custmers by establishing strng internal business cntrls and standard revenue cllectin methds thrughut the University. This plicy prvides guidance s that the prcesses f accepting electrnic payments cmply with the Payment Card Industry Data Security Standards (PCI DSS) and are apprpriately integrated with the University s financial and ther systems. In additin, adherence t this plicy will ensure cmpliance with Sectins 35.61, and f the Texas Business & Cmmercial Cde, related t the prtectin f credit/debit card infrmatin and ther persnal identifying infrmatin. UT Dallas has cntracted with a third-party vendr whse cre business includes the supprt and prcessing f credit card and electrnic transactins. The vendr prvides the University with a secure gateway and hsted slutin in which all electrnic persnal payment infrmatin is securely transmitted t and stred n ff-site cmputers which the cmpany wns and maintains. The vendr maintains PCI DSS cmpliance certificatin. This relatinship enables the University t prvide secure infrastructure fr acceptance f electrnic payments. Applicability Any UT Dallas emplyee, cntractr r agent wh, in the curse f ding business n behalf f the University, is invlved in the acceptance f credit card and electrnic payments is subject t this plicy. Failure t cmply with the terms f this plicy may predispse the department and/r the University t financial lsses and/r legal liabilities

2 University f Texas at Dallas Plicy fr Accepting Credit Card and Electrnic Payments Plicy Statement Any department electrnically cllecting revenue (thrugh credit cards r electrnic checks) n behalf f the University fr gds r services must utilize a secure web based strefrnt. Marketplace is the University s preferred web based applicatin fr electrnic cllectin f revenue. This applicatin can accmmdate receipt f checks and credit cards (Master Card, Visa, American Express, and Discver) in a secure envirnment which is maintained by the third-party prvider as referenced in the Purpse sectin. If a department believes that it has a significant business case r prcessing requirement that cannt be achieved using Marketplace it may be granted authrizatin t use ther credit card prcessing systems (see Exceptins t Using Marketplace). Respnsibilities f a Merchant Department The fllwing respnsibilities are an imprtant aspect f the University s cmpliance with the PCI Data Standards. Any department cllecting revenue n behalf f the University is cnsidered a Merchant Department. The Merchant Department must designate an individual wh will have primary authrity and respnsibility fr revenue cllectin within that department. This individual will be the designated Merchant Department Representative r MDR. All Merchant Departments must: 1. Cmplete the Applicatin t Becme a Merchant Department (see Attachment A). 2. Fllw the Card Acceptance guide (r similar rules) f the merchant prcessr/acquirer (e.g., Glbal Payments) and the perating regulatins and rules f any card assciatins/netwrks that will be accepted by the Merchant Department (e.g., MasterCard, Visa, etc.). Links t Glbal Payments, MasterCard and Visa are prvided fr reference: Glbal Payments Card Acceptance MasterCard Wrldwide Rules and Chargeback Visa Merchant Respnsibility and Card Acceptance Guide 3. Ensure that all emplyees, including the MDR, cntractrs and agents with access t payment card data cmplete cmpliance training n an annual basis. 4. Revenue cllectin arrangements that require payees t enter credit card numbers n preprinted rder frms which are then mailed t a UTD department are nt allwed

3 University f Texas at Dallas Plicy fr Accepting Credit Card and Electrnic Payments 5. Ensure that all credit card data cllected, regardless f hw it is stred (physically r electrnically, including but nt limited t accunt numbers, card imprints, and Terminal Identificatin Numbers) is secured. Data is cnsidered t be secured nly if the fllwing criteria are met: Only thse with a need-t-knw are granted access t credit card and electrnic payment data. is nt used t transmit credit card payment infrmatin. If the use f is necessary, nly the last fur digits f the credit card number are displayed. Credit card r electrnic payment infrmatin is never dwnladed nt any prtable devices such as USB flash drives, cmpact disks, laptp cmputers r persnal digital assistants. Fax transmissins (bth sending and receiving) f credit card and electrnic payment infrmatin are limited t thse fax machines whse access is restricted t authrized individuals. The transactins must be prcessed immediately and the dcuments must be shredded. The prcessing and strage f persnally identifiable credit card r electrnic payment infrmatin n University cmputers and servers is prhibited. Exceptins can nly be made if the prcessing and strage methds are cmpliant with this plicy, the UT System Infrmatin Security Plicy and PCI Data Security Standards. These standards detail strict encryptin prtcls. Only secure cmmunicatin prtcls and/r encrypted cnnectins are used during the prcessing f electrnic transactins. (NOTE: The UT Dallas Infrmatin Security Department maintains a staff f security prfessinals wh are available, as required, t prvide cnsultative services n apprpriate security practices. The Directr f Infrmatin Security can be cntacted fr mre infrmatin regarding these services. The three-digit card-validatin cde printed n the signature panel f a credit card is never stred in any frm. All but the last fur digits f any credit card accunt number are masked if credit card data is displayed. All credit card and electrnic payment data that is n lnger deemed necessary r apprpriate t stre is destryed r rendered unreadable. Befre accepting check payments, the strefrnt must cntain a disclsure that all checks will be cnverted int ACH transactins and will be prcessed electrnically. In additin, the receipt shuld prvide written ntificatin f this disclsure. All cmputers accessing r prviding supprt fr the web based strefrnt must be encrypted with McAfee SafeBt. In additin, Identityfinder must be installed and cnfigured t run weekly. All discvered instances f the - 3 -

4 University f Texas at Dallas Plicy fr Accepting Credit Card and Electrnic Payments full credit card number, bank accunt number, r scial security number must be reprted t the Department Head, Treasury Manager, and the Infrmatin Security Office and remedied immediately. 6. N credit card receipt r ther dcument referencing the transactin shall include mre than the last fur digits f the accunt number r the mnth and year f the expiratin date. N University emplyee, cntractr r agent wh btains access t credit card r ther persnal payment infrmatin may sell, purchase, prvide, r exchange said infrmatin in any frm t any third party ther than t the University s acquiring bank, depsitry bank, Visa, MasterCard r ther credit card cmpany, r pursuant t a gvernment request. All requests t prvide infrmatin t any utside party must be reviewed and apprved in advance by the Vice President fr Cmmunicatins and the Vice President fr Business Affairs r their delegates. Prcess t becme a Merchant Department The MDR r his/her designee must fllw the steps belw in rder t request apprval t becme a Merchant Department. 1. Ntify the Treasury Manager in The Office f Finance f a need t accept credit card and/r electrnic payments by cmpleting an Applicatin t Becme a Merchant Department. 2. Obtain apprval frm the schl/divisin Department Head. It is the respnsibility f the Department Head t apprve the business case and all ther infrmatin prvided in the applicatin, and t apprve the designatin f the Merchant Department Representative. 3. Submit the signed applicatin t the Treasury Manager fr review and apprval by the Assciate Vice President fr Finance and Cntrller. 4. If the applicatin is apprved, the Treasury Manager will frward a request t University Web Services t design a new Marketplace strefrnt fr the Merchant Department. The Merchant Department shuld allw sufficient time fr this prcess t be cmpleted. 5. The Merchant Department Representative must cntact the Infrmatin Security Office t schedule installatin f McAfee SafeBt and Identityfinder n the cmputers that will access r supprt the web based strefrnt. 6. The Treasury Manager will arrange the necessary training fr the Merchant Department, as well as any additinal infrmatin pertinent t the apprved payment methd

5 University f Texas at Dallas Plicy fr Accepting Credit Card and Electrnic Payments Exceptin t Using Marketplace If a department believes that it has a significant business case r prcessing requirement that cannt be achieved using Marketplace, they must prvide the details f their case, in writing. Examples wuld be departments that have a high vlume f walk-in custmers that are paying in persn, such as The Pub r Bkstre. In this case, the department may be granted authrizatin t use an alternate credit card prcessing system r vendr. If the Merchant Department needs t utilize this alternative, they must: Cmplete the Applicatin t becme a Merchant Department. The applicatin shuld request a release frm the Marketplace requirements specified by this plicy. The request shuld include the details f their business case and specific prcessing requirements. Prvide prf that the alternate vendr is certified PCI cmpliant and ensure that the department and its vendr cmply with all relevant prvisins f the UT System Infrmatin Use and Security Plicy and the UT Dallas Plicy fr Accepting Credit Card and electrnic Payments (See link at the end f this plicy). Cmply with the requirements fr installatin and running f McAfee SafeBt and Identityfinder as described abve. The Treasury Manager will review the department s request, and frward it t the Assciate Vice President fr Finance and Cntrller fr apprval. In the event that the use f an alternate vendr is apprved, the Merchant Department will be subject t peridic inspectins by the Treasury Manager t ensure cmpliance with the University plicy and the PCI Data Security Standards. An additinal exceptin t using Marketplace applies t departments accepting dnatins. All dnatins t the University shuld be crdinated by the Office f Develpment and shuld use the custmized nline dnatin ptin cnfigured thrugh that ffice. Fr assistance in establishing a dnatin link, users shuld cntact the Office f Develpment. Prcess fr Respnding t a Security Breach - 5 -

6 University f Texas at Dallas Plicy fr Accepting Credit Card and Electrnic Payments Security breaches can result in serius cnsequences fr the University, including release f cnfidential infrmatin, damage t reputatin, added cmpliance csts, the assessment f substantial fines, pssible legal liability and the ptential lss f the ability t accept credit card and electrnic payments. In the event f a breach r suspected breach f security, the Merchant Department must immediately perfrm the fllwing steps: 1. Cntact the Treasury Manager and the Chief Infrmatin Security Officer. The Chief Infrmatin Security Officer will prvide further instructins which will include measures that will preserve electrnic evidence. 2. The Chief Infrmatin Security Officer will implement a Crisis Respnse Plan t islate, investigate, dcument and remediate the situatin in partnership with the Treasury Manager. 3. All investigatin and cllectin f evidence will be dne by an Infrmatin Security Analyst. T prevent alteratin f the cmprmised system r systems, Infrmatin Security asks the MDR t fllw the requests belw: D nt switch ff the cmprmised machine. D nt attempt t islate the cmprmised system(s) frm the netwrk by unplugging the netwrk cnnectin cable. D nt lg n t the machine and/r change passwrds Be n HIGH alert and mnitr all electrnic applicatins and reprt suspicius activity t Infrmatin Security. 4. The Treasury Manager shall alert the merchant bank, the payment card assciatins and the UT Dallas Plice Department. The Assciate Vice President fr Finance shall reprt the suspected breach t the Vice President fr Business Affairs wh will in turn take the apprpriate actins t alert the President, the Chief Infrmatin Officer, the Vice President fr Cmmunicatins, and ther relevant regulatry agencies. 5. Where an actual breach f credit card data is cnfirmed, the Treasury Manager, with the assistance f the Chief Infrmatin Security Officer, will ensure that cmprmised credit card accunt infrmatin is securely sent t the apprpriate credit card assciatins and credit reprting agencies. 6. Within 48 hurs f the breach, the Treasury Manager, with assistance frm the relevant MDR, shall prvide the affected credit card assciatins with prf f PCI cmpliance. 7. Within 4 business days f the breach, the Treasury Manager, with assistance frm the relevant MDR, shall prvide the affected credit card assciatins with an incident reprt

7 University f Texas at Dallas Plicy fr Accepting Credit Card and Electrnic Payments 8. At the relevant credit card assciatins request and depending n the level f risk and data elements cmprmised, the University may, within 4 business days f the event: Arrange fr a netwrk and system vulnerability scan. Cmplete a cmpliance questinnaire and submit it t relevant card assciatin(s). 9. In the event that persnal data is expsed, per UT System Infrmatin Use and Security Plicy #UTS165, the University will prvide ntificatin t any resident f Texas and data wners whse persnal identifying infrmatin was, r is reasnably believed t have been, acquired withut authrizatin. Onging Plicy Management University f Texas at Dallas may mdify this plicy frm time t time as required, prvided that all mdificatins are cnsistent with Payment Card Industry Data Security Standards then in effect. The Treasury Manager f the Office f Finance is respnsible fr initiating and verseeing an annual review f this Plicy, making revisins and updates and ensuring that the updated plicy has received the apprpriate apprvals and is distributed t the Merchant Departments. Attachments Attachment A - Applicatin t Becme a Merchant Department Attachment B - PCI Data Security Standards Attachment C - UT System Infrmatin Use and Security Plicy UTS165 Legal Statutes Texas Business & Cmmercial Cde, Sectin Texas Business & Cmmercial Cde, Subchapter A, Chapter 72 Texas Business & Cmmercial Cde,