Credit Card Processing and Security Policy



Similar documents
PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Policy Title: Payment Cards Policy Effective Date: 5/5/2010. Policy Number: FA-PO-1214 Date of Last Revision: 11/5/2014

Information Technology

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Accepting Payment Cards and ecommerce Payments

Payment Card Industry Compliance

Saint Louis University Merchant Card Processing Policy & Procedures

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

CREDIT CARD PROCESSING & SECURITY POLICY

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

New York University University Policies

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

How To Complete A Pci Ds Self Assessment Questionnaire

Credit Card Handling Security Standards

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Appendix 1 Payment Card Industry Data Security Standards Program

POLICY SECTION 509: Electronic Financial Transaction Procedures

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

TERMINAL CONTROL MEASURES

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

CAL POLY POMONA FOUNDATION. Policy for Accepting Payment (Credit) Card and Ecommerce Payments

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS

Standards for Business Processes, Paper and Electronic Processing

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Viterbo University Credit Card Processing & Data Security Procedures and Policy

E-Market Policy Accepting Online Payment for Conducting University Business

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

PCI Data Security and Classification Standards Summary

CREDIT CARD NUMBER HANDLING PROCEDURES POLICY October

Clark University's PCI Compliance Policy

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Credit Card Security

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

CREDIT CARD PROCESSING POLICY AND PROCEDURES

University Policy Accepting Credit Cards to Conduct University Business

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i.

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Vanderbilt University

UW Platteville Credit Card Handling Policy

. Merchant Accounts are special bank accounts issued by a merchant. . Merchant Level: This classification is based on transaction volume.

Credit and Debit Card Handling Policy Updated October 1, 2014

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

CREDIT CARD SECURITY POLICY PCI DSS 2.0

Payment Card Acceptance Administrative Policy

Dartmouth College Merchant Credit Card Policy for Processors

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

The University of Georgia Credit/Debit Card Processing Procedures

SonicWALL PCI 1.1 Self-Assessment Questionnaire

Appendix 1 - Credit Card Security Incident Response Plan

WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS

Credit Card Processing Overview

Policies and Procedures. Merchant Card Services Office of Treasury Operations

Miami University. Payment Card Data Security Policy

Policies and Procedures

Office of Finance and Treasury

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Reducing PCI DSS Scope with the TransArmor First Data TransArmor Solution

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

University of Virginia Credit Card Requirements

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

Montclair State University. HIPAA Security Policy

PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014

Transcription:

Credit Card Processing and Security Policy Policy Number: Reserved for future use Responsible Official: Vice President of Administration and Finance Responsible Office: Student Account Services Effective date: 3/31/2015 Next review date: Supersedes policy dated: 8/13/2012 Approved by: Vice President of Administration and Finance I. Policy Statement The purpose of this policy is to establish guidelines and a process for the initiation and approval of all forms of credit card payment in accordance with and compliance to Payment Card Industry Data Security Standards (PCI DSS). University departments may accept credit cards as a form of payment for goods and services provided, after receiving advance written approval from the Merchant Services Manager in accordance with the Billing, Receipt Handling and Deposits Policy and following the objectives set forth in this policy. Departments, who need to accept credit cards and obtain a physical terminal to either swipe or key transactions through a data capture machine, need to contact the Merchant Services Manager and complete the required paper work to obtain a merchant number (see Attachment A). Any fees associated with the acceptance of the credit cards in each department, will be charged to that department. Departments wishing to engage in electronic commerce should use a certified PCI DSS compliant payment gateway as indicated on PCI Security Standards.org website (https://www.pcisecuritystandards.org). Requests should be directed to the Merchant Services Manager and Attachment A should be completed and filed with the Bursar Operations to obtain a merchant number. When they apply there will be a discussion to determine the best option for the area. This policy addresses Payment Card Industry Data Security Standards (PCI DSS) that are contractually imposed by VISA and MasterCard on merchants who accept these cards as forms of payments. The policy covers the following specific areas contained in the PCI Data Security Standards related to cardholder data: collecting, processing, transmitting, storing and disposing of cardholder data. Procedures must be documented by authorized departments and be available for periodic review. Departments seeking final authorization must ensure that the following objectives are met: NKU Policy Number: Reserved for future use Page 1 of 5

1. Access to cardholder data collected is restricted only to those users who need it to perform their jobs. 2. Cardholder data, whether collected on paper or electronically, is protected against unauthorized access. 3. All equipment used to collect data is secured against unauthorized use in accordance with the PCI Data Security Standard. 4. Physical security controls are in place to prevent unauthorized individuals from gaining access to the buildings, rooms, or cabinets where the equipment or documents containing cardholder data is stored. 5. Cardholder data is not processed, stored or transmitted using the University's network unless the PCI Compliance Officer and IT have verified the technical controls, including firewalls and encryption, are in accordance with the PCI Data Security Standard. 6. Cardholder data is not to be sent via end-user messaging technologies. (E-mail, text message, instant messenger, etc.) 7. Databases do not store credit card number, the full contents of any track from the magnetic stripe or the card-validation code. Reports must mask the card number to the first six or last four digits only. 8. Portable electronic media devices should not be used to store cardholder data. These devices include, but are not limited to, the following: laptops, compact disks, floppy disks, USB flash drives, personal digital assistants, and portable external hard drives. 9. Cardholder data is deleted or destroyed before it is disposed. Paper documents should be cross-cut shredded and destroyed when it's no longer needed for business or legal reasons in accordance to University Records Management Policy. Computer drives must be erased, degaussed, or physically destroyed in accordance with the University's Information Security Guidelines referenced within the Information Security Policy. 10. Credit card terminals are physically secured and batch/transmitted on a daily basis. 11. In the event of a breach, please refer to the NKU Incident Response Plan. II. Entities Affected This policy applies to all Northern Kentucky University faculty, staff, students, organizations and individuals who, on behalf of the University, handle electronic or paper documents associated with credit card receipt transactions or accept payments in the form of credit cards. The scope includes any credit card activities conducted at all Northern Kentucky University campuses and locations. III. Authority This purpose of this policy is to enforce the Payment Card Industry Data Security Standards and any state or federal laws applying to the acceptance, processing or transmitting of card holder data; the securing of card holder data; or the reporting procedures required in the case of a breach of card holder data. NKU Policy Number: Reserved for future use Page 2 of 5

IV. Definitions Cardholder: The individual to whom a credit card has been issued or the individual authorized to use the card. Cardholder data: All personally identifiable data about the cardholder gathered as a direct result of a credit card transaction (e.g. account number, expiration date, etc.). Card-validation code: The three-digit value printed on the signature panel of a payment card used to verify card-not-present transactions. On a MasterCard payment card this is called CVC2. On a Visa payment card this is called CVV2. Credit Card Receipt Transactions: Any collection of cardholder data to be used in a financial transaction whether by facsimile, paper, card presentation or electronic means. Database: A structured electronic format for organizing and maintaining information that can be easily retrieved. Simple examples of databases are table or spreadsheets. Encryption: The process of converting information into a form unintelligible to anyone except holders of a specific cryptographic key. Use of encryption protects information from unauthorized disclosure between the encryption process and the decryption process (the inverse of encryption). Firewall: Hardware and/or software that protect the resources of one network from users from other networks. Typically, an enterprise with an intranet that allows its workers access to the wider Internet must have a firewall to prevent outsiders from accessing its own private data resources. Magnetic Stripe Data (Track Data): Data encoded in the magnetic stripe used for authorization during a card present transaction. Network: A network is defined as two or more computers connected to each other so they can share resources. PCI DSS: Payment Card Industry Data Security Standards is the result of collaboration between the four major credit card brands to develop a single approach to safeguarding sensitive data. The PCI DSS defines a series of requirements and best practices for handling, transmitting and storing sensitive data. V. Responsibilities Merchant Services Manager The Merchant Services Manager or designee is responsible for the periodic reviews of departmental procedures and practices in connection with credit card receipt NKU Policy Number: Reserved for future use Page 3 of 5

transactions. Results will be reported to Internal Audit. All issues of non-compliance will be reported immediately to the Vice President for Administration and Finance. Information Technology Infrastructure Information Technology Infrastructure team is responsible for regularly monitoring and testing the NKU network. Information Technology Infrastructure team will cooperate with the Merchant Services Manager in accordance to the University's compliance with the PCI Standard technical requirements and verify the security controls of systems authorized to process credit cards. Heads of Departments and Activities Department heads are responsible for documenting departmental procedures and for ensuring that credit card activities are in compliance with this policy. Departments will potentially be responsible for any fines levied against the University that result from noncompliance by the department. Compliance The Vice President for Administration and Finance and/or the Associate Vice President for Finance will terminate credit card collection privileges for any department not in compliance with this policy. Failure to meet the requirements outlined in this policy will result in suspension of physical and or electronic payment capability for the affected departments. Additionally, fines may be imposed by the affected credit card company, beginning at $500,000 for the first violation, from each card company. Persons in violation of this policy are subject to the full range of sanctions up to and including termination. Some violations may constitute criminal offenses under local, state and federal laws. The University will report such violations to the Vice President for Administration and Finance and/or the Associate Vice President for Finance. VI. Committee A committee made up of staff from Human Resources, Internal Audit, Comptroller s Office, Business Auxiliary Services, General Counsel, Information Technology, Purchasing and any other departments deemed necessary by the Merchant Services Manager shall be convened on an ad hoc basis for purposes of addressing issues relating to this policy or any changes required. VII. Training The Merchant Services Manager will conduct annual training with all existing merchant departments or any that foresee the need to accept credit cards in the near future. This training typically takes place in June/July of each year. NKU Policy Number: Reserved for future use Page 4 of 5

References and Related Materials References: NKU Incident Response Plan Related Policies: Related Forms: NKU Merchant Application Revision History: Originated 8/13/2012 NKU Policy Number: Reserved for future use Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information