6-8065 Payment Card Industry Compliance



Similar documents
COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

CREDIT CARD PROCESSING & SECURITY POLICY

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

Appendix 1 Payment Card Industry Data Security Standards Program

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

Office of Finance and Treasury

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Credit Card Handling Security Standards

PCI Data Security and Classification Standards Summary

Information Technology

ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS

Vanderbilt University

. Merchant Accounts are special bank accounts issued by a merchant. . Merchant Level: This classification is based on transaction volume.

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

POLICY SECTION 509: Electronic Financial Transaction Procedures

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL

TERMINAL CONTROL MEASURES

How To Complete A Pci Ds Self Assessment Questionnaire

CREDIT CARD SECURITY POLICY PCI DSS 2.0

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Viterbo University Credit Card Processing & Data Security Procedures and Policy

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

Miami University. Payment Card Data Security Policy

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

Credit Card Processing and Security Policy

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

Credit and Debit Card Handling Policy Updated October 1, 2014

Becoming PCI Compliant

Accepting Payment Cards and ecommerce Payments

CREDIT CARD PROCESSING POLICY AND PROCEDURES

Standards for Business Processes, Paper and Electronic Processing

Information Security Policy

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Emory University & Emory Healthcare

UW Platteville Credit Card Handling Policy

Credit Card Processing Overview

Saint Louis University Merchant Card Processing Policy & Procedures

Dartmouth College Merchant Credit Card Policy for Processors

New York University University Policies

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration

Payment Card Industry Data Security Standards Compliance

A Rackspace White Paper Spring 2010

University of Sunderland Business Assurance PCI Security Policy

CardControl. Credit Card Processing 101. Overview. Contents

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Cash & Banking Procedures

CREDIT CARD NUMBER HANDLING PROCEDURES POLICY October

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i.

SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

E-Market Policy Accepting Online Payment for Conducting University Business

Josiah Wilkinson Internal Security Assessor. Nationwide

Why Is Compliance with PCI DSS Important?

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson

Frequently Asked Questions

Appendix 1 - Credit Card Security Incident Response Plan

Policies and Procedures

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

UNLV Payment Card Merchant Policy Credit Card Handling Responsibilities and Procedures

How To Control Credit Card And Debit Card Payments In Wisconsin

Failure to follow the following procedures may subject the state to significant losses, including:

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures

La règlementation VisaCard, MasterCard PCI-DSS

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

Technical breakout session

Payment Card Acceptance Administrative Policy

Transcription:

0 0 0 Yosemite Community College District Policies and Administrative Procedures No. -0 Policy -0 Payment Card Industry Compliance Yosemite Community College District will comply with the Payment Card Industry Data Security Standards necessary to remain compliant and appropriately certified and will ensure that appropriate business practices and procedures as well as information security technology is implemented to retain certification and safeguard payment card data. I. Definitions: a. Payment Card Industry Data Security Standards (PCI-DSS): a set of standards established by the Payment Card Industry Security Standards Council to develop a single approach to safeguarding sensitive data. The PCI standard defines a series of best practices for handling, transmitting and storing sensitive data. b. Cardholder Information Security Program (CISP): a program designed to ensure that all merchants that store, process, or transmit cardholder data, protect it properly by adhering to the Payment Card Industry (PCI) Data Security Standard. c. Cardholder Information: any personally identifiable data associated with a cardholder or a payment card, for example, an account number, expiration date, name, address, social security number, Card Validation Code CVC (MasterCard), Card Verification Value CVV (VISA), Card Member ID (Discover) or CID Card Identification Number (American Express) (e.g., three or four-digit value printed on the front or back of a payment card). d. Point of Sale Terminal (POS-T): electronic retail payment device which () reads a customer s bank s name and account number when a bank card or credit card is swiped (passed through a magnetic stripe reader), () contacts the bank and (if funds are available) transfers the customer approved amount to the seller s account, and () prints a receipt. e. Credit Card: a plastic card issued to concede to the holder, upon presentation to authorized stores or service providers, products or services on credit. f. Debit Card: a plastic card that may be used for purchasing goods and services or for obtaining cash advances for which payment is made from existing funds in a bank account. g. Need to Know : access to the information must be necessary for the conduct of one s official duties. -0 Payment Card Industry Compliance Page of

0 0 0 0 Adopted: July, -0 Payment Card Industry Compliance Page of

0 0 0 Administrative Procedure -0 Payment Card Industry Compliance I. Procedures for Processing Payment Card Information: a. Administrators of College Departments who need to accept payment cards and/or obtain a physical terminal to either swipe or key transactions through a point of sale terminal (POS-T) must request approval from the Executive Vice Chancellor for Fiscal Services or his/her designee. b. College and central services personnel assigned to process payment card transactions must receive training on the process to report and include those transactions in the District financial system. c. College and central services personnel who accept payment cards must receive training on understanding the requirements of and compliance with the PCI-DSS standards. d. College and central services personnel who accept payment cards must store only essential information. The Card Validation Code or the PIN Number must not be stored nor should the full contents of any track from the magnetic stripe (on the back of the card, in a chip, etc.) be stored. e. All media used for payment cards must be destroyed when retired from use. All hardcopy must be shredded using secure cross-cut shredded method prior to disposal. f. Exceptions to this procedure may be granted only after a written request from the college or central services department has been reviewed and approved by the Executive Vice Chancellor for Fiscal Services or his/her designee. g. The Assistant Vice Chancellor of Information Technology or his/her designee will authorize access for positions that require specific levels of data access. For employees who do not need to have access to payment card account numbers, the numbers will be masked to protect account information. h. Under no circumstances may payment card information be obtained or transmitted by e-mail, through campus mail or wireless networks. Payment card data transmission is permissible by fax. i. Any changes to systems housing account information must only be performed when i. Thorough testing has taken place to ensure adequacies of controls ii. Functionality testing with module custodians and/or functional exports has taken place iii. Change control processes have been followed II. Procedures for PCI Data Storage and Destruction: a. Hardcopy containing cardholder data shall be destroyed immediately after processing. -0 Payment Card Industry Compliance Page of

0 0 0 b. All electronic media containing cardholder information shall be labeled and identified as confidential. c. An inventory of media containing cardholder information shall be performed quarterly. d. Audit logs for system housing cardholder data shall be readily available for a period of 0 days. After 0 days, logs can be archived but must be maintained for one year. e. Electronic backup media containing cardholder data shall be secured/encrypted and stored in a secure environment. Retention and destruction of electronic backup media is defined by Yosemite Community College District (YCCD) data retention program. III. Procedures for Using Third Party and External Vendors: a. Use of third party service providers for the purpose of payment card processing must be reviewed and approved by Executive Vice Chancellor for Fiscal Services or his/her designee and the Assistant Vice Chancellor of Information Technology or his/her designee. b. External service providers must be PCI-DSS compliant and provide current, certified proof of compliance upon request. c. Contracts with external vendors must include language that requires vendors to demonstrate compliance with PCI-DSS if relevant to the services provided by the vendor. Contracts with external vendors must contain language that requires notification of any changes in PCI compliance status. IV. General PCI Security Procedures: a. Each employee with access to cardholder data electronically must have a unique password. b. In accordance with the YCCD Information Security Program, cardholder data should not be stored on servers, local hard drives or external (removable) media including USB Flash drives and optical media unless encrypted and otherwise in full compliance with PCI-DSS. c. All personal computers/workstations/laptops which handle payment card transactions must automatically have their screens locked after no more than ten (0) minutes of inactivity. d. For a paper media (e.g. paper receipts, forms, and faxes), cardholder information should not be stored, unless approved for appropriate business purposes and access is limited to individuals with a business need to know. Cardholder data should be blacked out on paper media, and disposed of properly (e.g. cross-cut shredded) when no longer needed for business purposes. V. College and Central Services Department Administrators Need to Ensure: -0 Payment Card Industry Compliance Page of

0 0 0 VI. VII. a. Only authorized personnel have access to payment card applications and data. b. Payment card account numbers are properly secured and safeguarded. c. Colleague accounts are properly reconciled with any discrepancies brought to the attention of Central Services Fiscal Services immediately. To maintain proper segregation of duties and minimize the risk of fraud, the individual administering Colleague is not the same individual that initiates, authorizes and processes the transactions. d. Central Services Fiscal Services is notified immediately of any changes in a department s card processing environment; including using the account for a new purpose, adding a new card acceptance technology or channel, or adding or customizing a payment application. The YCCD Central Services Fiscal Services Department will: a. Provide training to ensure college and central services staff are accepting and processing payment cards in compliance with PCI-DSS standards. b. Work with college department(s) and central services staff to create and test payment card applications before implementation. c. Work with external vendors to ensure compliance with policies, practices, and procedures for accepting payment cards at the college. d. Work together with Information Technology to complete the PCI-DSS Self-Assessment annually. e. Verify annually that payment card applications are PCI-DSS compliant and, if applicable, on the Payment Application Best Practice (PABP) list. The YCCD Central Services Information Technology Department will: a. Approve installation, modifications, and removal of all network hardware devices throughout the district. b. Identify compliant application software or service providers with the required functionality to meet college business needs. c. Ensure all physical network devices (e.g., routers, switches, wireless access points, and firewall configurations) and/or applications are properly secure. d. Ensure all systems processing payment card transactions are segmented into the proper VLAN which properly segments and isolates all PCI traffic. e. Perform approved scans on end user s desktops/laptops to identify potential unsecure payment card information which violate the district Information Security Standard. -0 Payment Card Industry Compliance Page of

0 f. Arrange for an approved third-party company to conduct annual penetration tests and vulnerability scans on all systems processing payment card transactions and resolve any issues immediately. g. Implement any and all identified precautions needed to safeguard all district payment card transactions in accordance with PCI-DSS. h. Work together with Fiscal Services to complete the PCI-DSS Self-Assessment annually and coordinate with external scan vendor(s) quarterly to ensure PCI-DSS compliance. i. If required, coordinate with approved PCI-DSS QSA vendors to verify PCI-DSS compliance. VIII. Requirements for Breach Notification: a. Any breaches, actual or suspected, of this procedure or any of the PCI-DSS standards shall be reported immediately to the Executive Vice Chancellor for Fiscal Services or his/her designee and the Assistant Vice Chancellor of Information Technology or his/her designee. b. In the event that a breach is suspected, the PCI-DSS Incident Response Plan will be followed until the incident is cleared or the plan has been followed through to completion. Procedure Last Revised: July, -0 Payment Card Industry Compliance Page of

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information