VCU Payment Card Plicy Plicy Type: Administrative Respnsible Office: Treasury Services Initial Plicy Apprved: 12/05/2013 Current Revisin Apprved: 12/05/2013 Plicy Statement and Purpse The purpse f this plicy is t help ensure that VCU is (1), being a gd steward f persnal cardhlder infrmatin entrusted t it by its students, parents, dnrs, alumni, custmers and any individual r entity that utilizes a credit card t transact business with the university, (2), cmplying with the Payment Card Industry Data Security Standards (PCI DSS) and (3), striving t prevent unauthrized and inapprpriate use f cardhlders' infrmatin. VCU is cmmitted t cmplying with the PCI DSS by ensuring the secure handling f payment card infrmatin. All university merchants accepting payment cards are required t cmply with the PCI DSS and this plicy fr accepting and handling payment card transactins. Treasury Services and Technlgy Services have been assigned respnsibility fr assessing, determining, and mnitring cmpliance with these standards. As a result, respnsibility fr determining hw t apply these standards and fr assessing deficiencies is shared amng these named areas. Treasury Services will prvide directin and assistance n business prcesses related t card peratins and Technlgy Services will prvide directin and assist with technical implementatin and security issues. Nncmpliance with this plicy may result in disciplinary actin up t and including terminatin. VCU supprts an envirnment free frm retaliatin. Retaliatin against any emplyee wh brings frth a gd faith cncern, asks a clarifying questin, r participates in an investigatin is prhibited. Table f Cntents Wh Shuld Knw This Plicy 2 Definitins 2 Cntacts 2 Prcedures 3 Frms 5 Related Dcuments 5 Revisin Histry 5 FAQs 6 VCU Payment Card Plicy - 1 - Apprved: 12/05/2013
Wh Shuld Knw This Plicy VCU faculty, staff, students, cntractrs and third party vendrs that cllect, maintain r have access t payment card infrmatin are respnsible fr knwing this plicy and familiarizing themselves with its cntents and prvisins. Definitins Apprved Scanning Vendr An Apprved Scanning Vendr (ASV) is an rganizatin that validates adherence t certain PCI-DSS requirements by perfrming vulnerability scans f Internet facing envirnments f merchants and service prviders. The PCI cuncil has apprved ver 130 ASVs. Cardhlder Data The Primary Accunt Number (PAN) alne r the PAN plus any f the fllwing: full magnetic stripe infrmatin, cardhlder name, service cde r expiratin date. Merchant Any entity that accepts payment cards as payment fr gds and/r services. Merchant Accunt A relatinship set up by Treasury Services thrugh the bank and a credit card prcessr in rder t prcess payment cards as payment fr gds r services rendered by the accunt hlder. The merchant accunt is tied t a Banner index t distribute funds apprpriately t the merchant (wner) fr which the accunt was set up. Payment Card Credit cards, debit cards r charge cards issued by a financial institutin. PCI-DSS Payment Card Industry Data Security Standard is a set f cmprehensive requirements fr enhancing payment card data security. Cmpliance with the PCI DSS helps t alleviate vulnerabilities that put cardhlder data at risk. Service Prvider Any cmpany that stres, prcesses r transmits cardhlder data n behalf f anther entity is defined t be a service Prvider by the Payment Card Industry (PCI) guidelines. Third Party Prcessr A cmpany that ffers Payment Card prcessing sftware and/r gateway services. All Third Party Prcessrs must be PCI DSS Cmpliant in rder fr a department t btain r maintain a merchant accunt. Cntacts Treasury Services and Technlgy Services are respnsible fr this plicy. Treasury Services is respnsible fr btaining apprval fr any revisins as required by the plicy Creating and Maintaining VCU Payment Card Plicy - 2 - Apprved: 12/05/2013
Plicies and Prcedures thrugh the apprpriate gvernance structures. Please direct plicy questins t Treasury Services. Technical security questins shuld be directed t Technlgy Services. Prcedures University departments must request and receive apprval frm Treasury Services prir t accepting payment cards. Treasury Services will assist departments in establishing prcesses and apprpriate cntrls thrugh n-line training. *All university departments that prcess payment card transactins fr gds and services are deemed t be merchants under the PCI DSS*. Third party vendrs (prcessrs, sftware prviders, payment gateways, r ther gds r service prviders) wh accept credit card transactins n behalf f the University must cntractually agree t: (1) adhere t all applicable requirements in PCI DSS, (2) be liable fr the security f the cardhlder data, (3) ntify the University f any breaches r intrusins within 72 hurs f discvery, and (4) peridic infrmatin security reviews by the University. Detailed prcedural steps are prvided belw t ensure full cmpliance. 1. Cmpliance with PCI DSS Standards Departments accepting payment cards are expected t adhere t these standards which are updated peridically and t verify the cmpliance f third party service prviders. The standards can be summarized as fllws: Build and Maintain a Secure Netwrk Prtect Cardhlder data Maintain a Vulnerability Management Prgram Implement Strng Access Cntrl Measures Regularly Mnitr and Test Netwrks Maintain an Infrmatin Security Plicy The university prhibits electrnic strage f cardhlder data because f the additinal risks assciated with prtecting the stred data. Requirements apply t departments that cllect card infrmatin in any frmat fr prcessing. Paper recrds cntaining payment card infrmatin must be destryed in accrdance with the PCI DSS and Library f Virginia s Recrd Retentin Schedule. Departments shall agree t frward necessary system and netwrk lg infrmatin frm its payment card systems and assciated netwrk devices t security mnitring tls managed by Technlgy Services fr detectin and preventin f threats targeting these systems. Departments shall als agree t allw peridic security scans and testing f its payment card systems by bth Technlgy Services and selected Apprved Scanning Vendr. Further, if applicable, with guidance frm Treasury Services and Technlgy Services, departments are respnsible fr the cmpletin f an annual Self-Assessment Questinnaire (SAQ) as required by PCI DSS. 2. Payment Card Acceptance VCU Payment Card Plicy - 3 - Apprved: 12/05/2013
Any entity that accepts payment cards as payment fr gds and/r services is a merchant. Once merchant accunts are enabled fr a department, the department has an nging respnsibility t understand security requirements, cmply with PCI DSS standards, and t maintain prper business practices as described further in varius prcedures and guidelines assciated with this plicy. Annually, individuals must be trained in the prper handling f payment card infrmatin and must cmplete the Respnsibilities f Credit Card Handlers and Prcessrs frm. Access t payment card data by university emplyees must be limited t thse individuals with a business need. Emplyees must have a unique lgin identificatin and passwrd t access cmputer systems r prgrams that cntain payment card infrmatin t ensure individual accuntability. Vendrsupplied defaults fr system passwrds and ther security parameters are nt t be used. Departments are respnsible fr paying all fees and ther csts assciated with accepting payment cards including equipment and technlgy csts, banking fees, and external security assessment fees as required by PCI DSS. 3. Use f Third Party Sftware Only University apprved cmpliant e-cmmerce applicatins may be used. Departments whse needs cannt be met due t the list f pre-apprved sftware applicatins that are PCI DSS cmpliant must request prir apprval frm Treasury Services and Technlgy Services befre cnsidering r acquiring third party slutins. Third party prcessrs must prvide prf f PCI DSS cmpliance n an annual basis t Treasury Services. 4. Secure Transmissins T ensure that prper business practices and security are maintained, nly secure and apprved prcesses are cnducted thrugh apprved web vendrs, analg telephne lines fr pint f sale terminals and/r PCI cmpliant IP credit card terminals. Any unapprved prcesses, including email, are nt allwed t transmit r stre payment card infrmatin. 5. Security Breaches All knwn r suspected security breaches f cardhlder infrmatin must be reprted immediately t the department head, Treasury Services at 828-6533 and the Technlgy Services Infrmatin Security Office via the VCU Help Desk at 828-2227. Departments must cperate fully with any resulting investigatin. 6. Sanctins fr Nn-Cmpliance University departments that transact business using payment cards in a manner that deviates frm this plicy are subject t varius financial and ther sanctins. These may include terminatin f merchant accunts, financial penalties and csts assciated with a security breach, penalties and csts assciated with bringing a nn-cmpliant applicatin int cmpliance, and/r pssible disciplinary actin f the individual invlved up t and including terminatin f emplyment. VCU Payment Card Plicy - 4 - Apprved: 12/05/2013
Frms 1. Respnsibilities f Credit Card Handlers (http://www.vcu.edu/treasury/ccrespnsibilities.pdf) 2. Request fr a New Merchant Accunt (Jessica has this frm, and it is nt a live URL yet, but she has given me the frm) Related Dcuments 1. Payment Card Industry Data Security Standard (https://www.pcisecuritystandards.rg/) 2. Credit Card Merchant Accunts (http://www.vcu.edu/treasury/creditcardmerchantaccunt.htm) 3. University Cash Receipting Plicies and Prcedures (http://www.vcu.edu/treasury/cashieringoperatinsguidelines.htm) 4. Infrmatin Security Plicy (http://ts.vcu.edu/askit/3408.html) 5. Recrds Management (http://ts.vcu.edu/askit/1947.html) 6. Cmputer and Netwrk Resurces Use Plicy (http://www.ts.vcu.edu/askit/3409.html) Revisin Histry Nne New Plicy FAQs 1. T whm des PCI apply? PCI applies t all university departments that accept, transmit r stre any cardhlder data regardless f size r number f transactins. 2. Wh set the standards? The standards are set by the PCI Security Standards Cuncil. The PCI Cuncil was created in 2006 t align the separate security prgrams and standards f majr card prgrams; American Express, Discver Financial Services, JCB, MasterCard Wrldwide and VISA Internatinal. 3. What cnstitutes a payment applicatin? A payment applicatin is anything that stres, prcesses r transmits card data electrnically. This means that anything frm a Pint f Sale System (swipe terminals) t a web e-cmmerce site are VCU Payment Card Plicy - 5 - Apprved: 12/05/2013
all classified as payment applicatins. Any piece f sftware that has been designed t tuch payment card data is cnsidered a payment applicatin. 4. What are the csts f nn-cmpliance with PCI DSS? The cst f nn-cmpliance will result primarily frm a security breach if cardhlder infrmatin is cmprmised. These csts may include: Ntifying affected cardhlders Paying fr credit mnitring fr the affected parties Paying fr unauthrized charges Implementing needed hardware r sftware upgrades t cmply with a higher level f security that wuld be required pst-breach Fines frm credit card cmpanies and PCI cuncil Litigatin frm cardhlders, vendrs r credit card cmpanies Unfavrable publicity Damage t VCU s reputatin Temprary r permanent lss f ability t prcess payment cards 5. Hw d payment card security breaches happen? Types f Breaches: Hacking int netwrked cmputers Lss f stlen PCs, Media Imprper dispsal f recrds (paper recrds nt shredded r prperly dispsed) Intentinal disclsure r fraud Unintentinal disclsure due t human errr Surces f Breaches: Imprper strage f data Insecure applicatins Inadequate netwrk security cntrls Unpatched systems and/r default cnfiguratin Insecure wireless access pints Use f default passwrds N intrusin mnitring Unsecured pint f sale technlgy Malicius Insider VCU Payment Card Plicy - 6 - Apprved: 12/05/2013