The following are responsible for the accuracy of the information contained in this document:

Similar documents
Credit/Debit Card Processing Policy

CREDIT CARD PROCESSING POLICY AND PROCEDURES

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

The University of Georgia Credit/Debit Card Processing Procedures

POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

Information Technology

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Accepting Payment Cards and ecommerce Payments

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Frequently Asked Questions

Payment Card Industry Compliance

Frequently Asked Questions

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

688 Sherbrooke Street West, Room 730 James Administration Building, Room 524

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

POLICY SECTION 509: Electronic Financial Transaction Procedures

How To Protect Your Credit Card Information From Being Stolen

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

CREDIT CARD SECURITY POLICY PCI DSS 2.0

Clark University's PCI Compliance Policy

Miami University. Payment Card Data Security Policy

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

2.1.2 CARDHOLDER DATA SECURITY

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

PC-DSS Compliance Strategies NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

PCI COMPLIANCE FOR HIGHER EDUCATION BEST PRACTICES CHECKLIST. Presented By: The Treasury Institute for Higher Education.

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

Your Compliance Classification Level and What it Means

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Registration and PCI DSS compliance validation

Understanding Payment Card Industry (PCI) Data Security

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Important Info for Youth Sports Associations

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

How To Ensure Account Information Security

Merchant guide to PCI DSS

. Merchant Accounts are special bank accounts issued by a merchant. . Merchant Level: This classification is based on transaction volume.

Accounting and Administrative Manual Section 100: Accounting and Finance

Payment Card Industry Data Security Standards

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

Payment Card Industry Data Security Standard

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

La règlementation VisaCard, MasterCard PCI-DSS

CREDIT CARD PROCESSING & SECURITY POLICY

WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN

b. USNH requires that all campus organizations and departments collecting credit card receipts:

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

PCI Standards: A Banking Perspective

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

PCI Compliance. Top 10 Questions & Answers

PCI Compliance Overview

Josiah Wilkinson Internal Security Assessor. Nationwide

Saint Louis University Merchant Card Processing Policy & Procedures

Credit and Debit Card Handling Policy Updated October 1, 2014

PCI Policies Appalachian State University

Emory University & Emory Healthcare

Vanderbilt University

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

University of Sunderland Business Assurance PCI Security Policy

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Registry of Service Providers

Credit Card Handling Security Standards

Third Party Agent Registration and PCI DSS Compliance Validation Guide

Becoming PCI Compliant

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i.

Frequently Asked Questions

PCI DSS. CollectorSolutions, Incorporated

Sales Rep Frequently Asked Questions

CREDIT CARD POLICY DRAFT

Payment Card Industry Data Security Standard

PCI Compliance Top 10 Questions and Answers

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

Two Approaches to PCI-DSS Compliance

Office of Finance and Treasury

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

And Take a Step on the IG Career Path

Achieving Compliance with the PCI Data Security Standard

Project Title slide Project: PCI. Are You At Risk?

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

Transcription:

AskUGA 1 of 5 Credit/Debit Cards Responsible administrator: Senior Vice President for Finance and Administration Related Procedure: The Credit/Debit Card Processing Procedures Responsible department: Bursar's Office The following are responsible for the accuracy of the information contained in this document: Responsible University Officers Senior Vice President for Finance and Administration (SVPFA) Chief Information Officer (CIO) Responsible Coordinating Offices Bursar s Division Office of Information Security Internal Auditing Division 1. Executive Summary and Purpose This policy provides requirements and guidance for all credit and debit card processing activities for the University of Georgia, including UGA Athletic Department, Arch Foundation, and UGA Alumni Association. At the initial publication of this policy the following sources were consulted and provided the basis for this program: ISO 17799, Payment Card Industry (PCI) Security Standards, and the Card Association Merchant Operating Regulations (Visa, MasterCard, American Express, and Discover). As card association regulations change, this policy will be updated as needed, and adhered to on a continued basis. This policy deals with access to The University of Georgia s computing and network resources. All relevant provisions in the Computer Security and Ethics Policy are applicable and included by reference in this document. This policy preempts all other campus policies and procedures and ALL issues within the scope of this policy. 2. Scope This policy applies to: All units, affiliates, and employees of The University of Georgia who accept credit/debit card payments for University business All external organizations contracted by the aforementioned parties to provide outsourced services for credit/debit card processing for University business All units, affiliates and employees of The University of Georgia who provide credit/debit card processing services for third parties 3. Definitions Account Number: The unique number identifying the cardholder s account which is used in financial transactions Cardholder Data: Cardholder data is any personally identifiable data associated with a cardholder. This

AskUGA 2 of 5 could be an account number, expiration date, name, address, social security number, etc. Cardholder Information Security Program (CISP): CISP defines a standard of due care for securing Visa cardholder data, wherever it is located. CISP compliance has been required of all entities storing, processing, or transmitting Visa cardholder data. Credit/Debit Card Processing: Act of storing, processing, or transmitting credit/debit cardholder data. Data Security Standard (DSS): Data security standards mandated by American Express. Payment Card Industry Data Security Standard (PCI): Set of requirements adopted by the Card Associations to protect and safe guard against cardholder data exposure and compromise. This standard is inclusive of the Visa CISP, MasterCard SDP, and American Express DSS. Payment Application Best Practices(PABP): Set of recommended practices for software vendors to create secure payment applications to help their customers comply with PCI. Sensitive Cardholder data: This is defined as the account number, expiration date, CVC2/CVV2 (a three-digit number imprinted on the signature panel of the card), any sensitive authentication data subsequent to authorization, PVV (PIN Verification Value) and data stored on track 1 and track 2 of the magnetic stripe of the card. Cardholder Information Security Program (CISP): CISP defines a standard of due care for securing Visa cardholder data, wherever it is located. CISP compliance has been required of all entities storing, processing, or transmitting Visa cardholder data. Credit/Debit Card Processing: Act of storing, processing, or transmitting credit/debit cardholder data. Data Security Standard (DSS): Data security standards mandated by American Express. e-commerce Applications: Any internet enabled financial transaction application. Employee: Any employee as defined by the UGA Human Resource Policy & Procedure, http://www.busfin.uga.edu/manual/. Employee In Key Roles: Any employee with the following roles concerning credit card sales: manager overseeing credit card sales, accountant for credit card sales, technical support to credit card solutions and equipment, and any other staff member with access to physically stored credit card receipts. ISO 17799: The International Standards Organization document defining computer security standards POS Device: Point-of-sale (POS) computer or credit card terminals either running as a stand alone system or connecting to a server at The University of Georgia or at a remote off site location. Site Data Protection Program (SDP): The formal data protection program mandated by MasterCard. The SDP Program provides acquiring members with the ability to deploy security compliance programs, ensuring that online merchants and member service providers are adequately protected against hacker intrusions and account data compromises. Web Development: The design, development, implementation and management of the user interface of the e-commerce application. 4. Statement of Policy A. The approval process for all credit/debit card processing activities will be as follows: The SVPFA, CIO or delegates(s) must approve all credit/debit card processing activities at The University of Georgia before a unit enters into any contracts or purchases software and/or equipment. Please refer to The University of Georgia Credit/Debit card processing procedures

AskUGA 3 of 5 for additional information. This requirement applies regardless of the transaction method used (e.g., e-commerce, POS device, or e-commerce outsourced to a third party). Approved units must register their credit/debit card processing information with the Bursar s Office. All technology implementation (including approval of authorized payment gateways) associated with the credit/debit card processing must be in accordance with The University of Georgia Credit Card Processing Procedures, PCI (Payment Card Industry) standards and the Board of Regents policies and approved by the SVPFA, CIO or delegate(s) prior to entering into any contracts or purchasing of software and/or equipment. Approved vendors and software must be confirmed as PCI compliant by the card associations and not just a third party assessor. When possible, all approved equipment should be validated as being PABP. Sensitive cardholder data should not be stored in any fashion on University of Georgia computers or networks. Transmission of sensitive cardholder data must follow guidelines for point of sale and ecommerce as described in the University credit card/debit card procedures. Credit Card point of sale receipts should follow approved procedures for storage and retention. Exemptions to this must be approved by both the SVPFA and CIO. B. Units approved for credit card processing activities must maintain the following standards: All employees (business managers, operations personnel, and technical staff) involved in e-commerce or POS transactions must attend appropriate training. All units should create, maintain and test annually, business continuity and disaster recovery plans as well as incident response capabilities. Incident response procedures can be found in the university s procedures for credit/debit card processing. All servers and POS devices will be administered in accordance with the requirements of the Credit/Debit Card Processing Procedures. Access to credit/debit card processing systems and related information must be restricted to appropriate personnel. These persons are defined as needing access to credit card information in order to perform their day to day job responsibilities. The university will contract with an approved and certified PCI 3 rd party assessor to review our processes and determine any vulnerabilities as it relates to PCI compliance. Each unit responsible for credit/debit card processing must have a completed PCI questionnaire on file with the approved assessor. This questionnaire needs to be reviewed annually to ensure compliance with this policy and the associated procedures and provide an update should current procedures/operations change. Each unit with the exception of point of sale merchants must also enroll and participate in quarterly network scans with the approved third party assessor. Each merchant s questionnaire and scans will be documented and tracked by the approved third party assessor. The Bursar s Office, Internal Audit and the Office of Information Security will have access to each merchant s status on a continual basis. The Chief Information Security Officer and the Bursar s Office will, at the request of the unit, assist in the initial PCI questionnaire. Audits will be performed periodically by the Internal Auditing Division to confirm the results of the PCI questionnaire.

AskUGA 4 of 5 C. On an annual basis, the Chief Information Security Officer, Bursar s Office, Internal Auditing and/or the PCI Evaluator for the University will provide appropriate training to all employees associated with credit/debit card processing. D. The Bursar s Office will monitor the PCI compliance list weekly so that any changes that effect one or all of our merchants can be addressed immediately. E. The Bursar s Office will monitor each merchant s level of compliance via the PCI compliance portal maintained by the University s third party assessor. F. Employees in key roles are required to acknowledge in writing that they have read and understand the University s policy and procedures. G. Require a background check as a condition of employment to any employee hired to be involved with credit card processing including key roles such as sales clerk before hiring. Please refer to Human Resources for the university s policy regarding background checks. H. Should you become aware cardholder data has been compromised, you need to follow the incident response as outlined in the credit card procedures. 5. Procedures The Credit/Debit Card Processing Procedures document provides details for implementation of this policy. This separate document carries the full force of this policy. This separation allows for easier modifications to the procedures due to the changing nature of business, technology and security. 6. Revisions and Exceptions This policy should be reviewed at least annually and revised as needed according to new standards and laws. This policy may be revised only with approval of the SVPFA of The University of Georgia. The SVPFA and the CIO may grant exceptions to this policy or revise the Credit/Debit Card Processing Procedures document by mutual agreement. 7. Compliance Failure to comply with this policy and the associated required procedures will be deemed a violation of University policy and subject to disciplinary action up to and including termination as noted in the Guide to Progressive Discipline. Technology that does not comply with this policy and the associated required procedures is subject to disconnection of network services.

AskUGA 5 of 5 8. Communication Upon approval, this policy shall be published on the appropriate University of Georgia web site(s). The following offices and individuals shall be notified in writing with any subsequent revisions or amendments made to this policy: Associate Vice Provosts Deans, Directors and Department Heads Associate Vice Presidents Wording for the recently approved background checks needs to included credit card wherever cash is referenced. The Credit/Debit Card Processing Procedures

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information