UTAH VALLEY UNIVERSITY Policies and Procedures

Similar documents
UTAH VALLEY UNIVERSITY Policies and Procedures

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

University of Oregon Policy Statement Development Form

Merchant guide to PCI DSS

Vanderbilt University

University Policy Accepting Credit Cards to Conduct University Business

New York University University Policies

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Becoming PCI Compliant

University Policy Accepting and Handling Payment Cards to Conduct University Business

Policy Title: Payment Cards Policy Effective Date: 5/5/2010. Policy Number: FA-PO-1214 Date of Last Revision: 11/5/2014

b. USNH requires that all campus organizations and departments collecting credit card receipts:

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

CREDIT CARD SECURITY POLICY PCI DSS 2.0

References: County Policy Manual- Credit Card Payments; Vendor Remote Access Request Form

Clark University's PCI Compliance Policy

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

Dartmouth College Merchant Credit Card Policy for Processors

Third Party Agent Registration and PCI DSS Compliance Validation Guide

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

PCI & the Contact Centre The Acquirer Perspective

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

Payment Card Industry Data Security Standards Compliance

Why Is Compliance with PCI DSS Important?

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

PC-DSS Compliance Strategies NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

Registration and PCI DSS compliance validation

Information Technology

Payment Card Industry Data Security Standards.

PCI Policies Appalachian State University

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Credit Card Handling Security Standards

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

PCI Data Security Standards

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

UNLV Payment Card Merchant Policy Credit Card Handling Responsibilities and Procedures

PCI Compliance. Top 10 Questions & Answers

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

PCI DSS. Payment Card Industry Data Security Standard.

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

CAL POLY POMONA FOUNDATION. Policy for Accepting Payment (Credit) Card and Ecommerce Payments

TERMINAL CONTROL MEASURES

A Compliance Overview for the Payment Card Industry (PCI)

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

PCI Compliance for Cloud Applications

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

PCI Compliance: How to ensure customer cardholder data is handled with care

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

P R O G R E S S I V E S O L U T I O N S

UCSD Credit Card Processing Policy & Procedure

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Top 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services

Appendix 1 Payment Card Industry Data Security Standards Program

AISA Sydney 15 th April 2009

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

CREDIT CARD PROCESSING POLICY AND PROCEDURES

Project Title slide Project: PCI. Are You At Risk?

. Merchant Accounts are special bank accounts issued by a merchant. . Merchant Level: This classification is based on transaction volume.

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

PCI Compliance Top 10 Questions and Answers

How To Protect Your Business From A Hacker Attack

2.1.2 CARDHOLDER DATA SECURITY

Credit and Debit Card Handling Policy Updated October 1, 2014

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

A PCI Journey with Wichita State University

PCI DSS Security Awareness Training for University of Tennessee Credit Card Merchants. UT System Administration Information Security Office

Visa global Compromised Account

The Cyber Attack and Hacking Epidemic A Legal and Business Survival Guide

Accepting Payment Cards and ecommerce Payments

115 th Annual Convention

And Take a Step on the IG Career Path

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Accounting and Administrative Manual Section 100: Accounting and Finance

University of Sunderland Business Assurance PCI Security Policy

Emory University & Emory Healthcare

Payment Card Industry Data Security Standard

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Frequently Asked Questions

11/24/2014. PCI Compliance: Major Changes in e-quantum/quantum Net

Payment Card Industry Data Security Standards

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014

SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Policy for Accepting Payment (Credit) Card and Ecommerce Payments

Transcription:

Page 1 of 7 Proposed Policy Number and Title: 457 PCI DSS Compliance Existing Policy Number and Title: Not applicable Approval Process* X Regular Temporary Emergency Expedited X New New New Revision Revision Revision Deletion Suspension Anticipated Expiration Date: *See UVU Policy #101 Policy Governing Policies for process details. Draft Number and Date: Stage 4, Board of Trustees, February 19, 2015 President s Council Sponsor: Val Peterson Ext. Policy Steward: Kedric Black Ext. POLICY APPROVAL PROCESS DATES Policy Drafting and Revision Entrance Date: 08/28/2014 University Entities Review Entrance Date: 09/25/2014 University Community Review Entrance Date: 12/18/2014 Open Feedback: 12/18/2014 Close Feedback: 01/14/2015 Board of Trustees Review Entrance Date: 01/15/2015 Approval Date: MM/DD/YYYY POST APPROVAL PROCESS Verify: Policy Number Section Title BOT approval Approval date Effective date Proper format of Policy Manual posting TOPS Pipeline and Archives update Policy Office personnel who verified and posted this policy to the University Policy Manual Name: Date posted and verified: MM/DD/YYYY

Page 2 of 7 POLICY TITLE Section Subsection Responsible Office PCI DSS Compliance Facilities, Operations, and Information Technology Information Technology Office of the Vice President of Administration and Finance Policy Number Approval Date Effective Date 457 1.0 PURPOSE 1.1 The purpose of this policy is to help ensure that the University 1) serves as an effective steward of personal financial information entrusted to it by its constituents, 2) protects the privacy of its constituents, 3) complies with the PCI DSS, and 4) strives to avoid a security breach aimed at obtaining cardholder information. 1.2 To minimize inappropriate exposures, losses, and inappropriate use of cardholder data, this policy sets forth a framework to aid the University by complying with PCI DSS and attending to the proper design and control of systems in scope of PCI DSS. 2.0 REFERENCES 2.1 Payment Card Industry Data Security Standard (PCI DSS) 2.2 UVU 441 Appropriate Use of Computing Facilities 2.3 UVU 443 Ethics in Computer Usage 2.4 UVU 445 Institutional Data Management and Access 2.5 UVU 447 Responsibility for Security of Computing Devices Connected to the UVU Network 2.6 UVU 448 Use of University Technology Equipment 2.7 UVU 451 Retention of Electronic Files 3.0 DEFINITIONS 3.1 Acquiring bank: Entity that initiates and maintains relationships with merchants for the acceptance of payment cards. Also referred to as acquirer or acquiring financial institution.

Page 3 of 7 3.2 Attestation of Compliance (AOC): The form used for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on Compliance. 3.3 Cardholder: Non-consumer or consumer customer to whom a payment card is issued, or any individual authorized to use the payment card. 3.4 Cardholder data: At a minimum, cardholder data consists of the full primary account number (PAN). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code. 3.5 Cardholder data environment: The people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data, including any connected system components. 3.6 Computer Incident Response Team (CIRT): The group, comprised of the Information Security Officer and Senior Security Analysts, that oversees the investigation and remediation of issues that led to a security breach of IT systems. 3.7 Merchant: For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, or Visa) as payment for goods and/or services. 3.8 Payment Card Oversight Committee (PCOC): A group tasked with the oversight of the University s PCI DSS compliance. It is comprised of the Associate Vice President CIO/Information Technology, Senior Analyst PCI Security, Officer Security/IT Services, Controller Business Services, and the Senior Accountant of Treasury Services. 3.9 Payment Card Industry Data Security Standard (PCI DSS): Standards developed by the PCI Security Standards Council (PCI SSC), which provide an actionable framework for developing a robust payment card data security process, including prevention, detection, and appropriate reaction to security incidents. 3.10 Primary account number (PAN): Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account. Also referred to as account number. 3.11 Self-Assessment Questionnaire (SAQ): Tool used by any entity to validate its own compliance with PCI DSS and when filing an AOC. The completed Self-Assessment Questionnaire is filed with the entity s acquiring bank.

Page 4 of 7 3.12 Sensitive authentication data: Security-related information (including but not limited to card validation codes/values, full magnetic-stripe data, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment-card transactions. 3.13 Service provider: Business entity, which is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS, and other services, as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded. 4.0 POLICY 4.1 UVU is responsible for its PCI DSS compliance and security breaches that occur on its information systems that handle credit card information; it is not responsible or liable for the PCI DSS compliance of non-university entities that conduct merchant business on university property or for security breaches that occur on the systems of these entities. 4.2 All merchant entities (both university and non-university entities) wishing to accept, process, transmit, or store payment cards while conducting business on UVU s campus and other university-owned facilities must receive approval from the Payment Card Oversight Committee (PCOC). 4.3 All merchant entities wishing to accept, process, transmit, or store payment card information while conducting business on UVU s campus and other university-owned facilities must be compliant with the standards set by the PCI SSC. University merchant entities shall provide adequate training for all employees dealing with payment card data on how this data should be handled securely and of the risks associated with payment card data relevant to the scope of their employment duties and shall follow the information security procedures outlined by the PCOC. 4.4 In order to ensure proper handling and safeguarding of payment card information, merchant entities will work with the PCOC to build and maintain a secure network for payment card information handling. This network shall meet the most current requirements established by the PCI SSC. 4.5 Each university employee who has access to cardholder information is responsible for protecting that information in accordance with PCI DSS and UVU policy and procedures. 4.6 All university merchant entities must complete the appropriate PCI DSS Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) and Attestation of Compliance

Page 5 of 7 (AOC) and submit both documents to the Finance and Business Services Office annually by the last university working day in June. 4.7 Non-university merchant entities and service providers operating on any of the University s campuses that accept credit cards must execute a contract addendum that includes an acknowledgement of responsibility for the security of cardholder data the service providers possess or otherwise store, process, or transmit on behalf of the University, or to the extent that they could impact the security of the University s cardholder data environment. The service provider will provide documentation of applicable PCI DSS requirements to be maintained as part of the provided service, and submit a copy of their current Attestation of Compliance. The PCOC will maintain a program to monitor service providers PCI DSS compliance status at least annually. 4.8 In the event of a security breach on a UVU system or that of a service provider that handles UVU consumer payment card data, the Computer Incident Response Team (CIRT) shall oversee the investigation and remediation of issues that led to the breach. The CIRT is responsible for providing updates to University Administration and for ensuring that the card brands and acquiring banks are notified. 5.0 PROCEDURES 5.1 Payment Card Oversight Committee (PCOC) 5.1.1 The oversight of PCI compliance throughout the University will be the joint responsibility of the Associate Vice President CIO/Information Technology, Senior Analyst PCI Security, Officer Security/IT Services, Controller Business Services, and the Senior Accountant of Treasury Services. 5.1.2 The PCOC is responsible for: 1) Monitoring the University s compliance with standards set by PCI SSC; 2) Assessing, analyzing, and providing information as required under the standards to merchant providers; 3) Granting the privilege of accepting payment cards to campus merchants (both university and non-university entities) and providing oversight of the merchant setup procedures to reduce the risk of exposing the University, the merchant entity, or the merchant entity s patrons to unnecessary information security risks; and 4) Coordinating training activities for the campus merchant community about their responsibilities regarding PCI compliance.

Page 6 of 7 5.2 PCI Security Breach Protocol 5.2.1 The events and circumstances of a suspected security breach must be immediately reported to the CIRT. The CIRT will immediately begin an investigation and follow the incident response plan, including identification, assessment, containment, eradication, recovery, and follow-up. During the process of responding to the incident, the CIRT team lead will ensure university administration is alerted and kept up-to-date, and will follow procedures for notifying card brands and acquiring banks. POLICY HISTORY Date of Last Action Action Taken Authorizing Entity

Page 7 of 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information