VCU Payment Card Policy



Similar documents
University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments

Process of Setting up a New Merchant Account

PCI - Why You Need to be Compliant When Accepting Credit Card Payments. Agenda. Breaches in the Headlines. Breach Events & Commonalities

GUIDANCE FOR BUSINESS ASSOCIATES

UNT Payment Card Merchant Handbook

FAFSA / DREAM ACT COMPLETION PROGRAM AGREEMENT

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

Key Steps for Organizations in Responding to Privacy Breaches

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

TITLE: RECORDS AND INFORMATION MANAGEMENT POLICY

HIPAA HITECH ACT Compliance, Review and Training Services

First Global Data Corp.

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

BAMS Third Party Service Providers (TPSPs) FAQs

FAYETTEVILLE STATE UNIVERSITY

IMPLEMENTATION DETAILS

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

Data Protection Policy & Procedure

Vantiv eprotect iframe Technical Assessment Paper Prepared for:

DisplayNote Technologies Limited Data Protection Policy July 2014

Privacy and Security Training Policy (PS.Pol.051)

Version Date Comments / Changes 1.0 January 2015 Initial Policy Released

Supersedes: DPS Policy Internet and Use Of The DPSnet, July 14, 2000 Effective: February 15, 2005 Pages: 1 of 5

NYU Langone Medical Center NYU Hospitals Center NYU School of Medicine

Personal Data Security Breach Management Policy

Information Security Policy

TrustED Briefing Series:

Plus500CY Ltd. Statement on Privacy and Cookie Policy

IT Account and Access Procedure

DATE APPROVED March Version Date Comments / Changes 1.0 March 2011 Initial policy released

Corporate Credit Card Policy

Process for Responding to Privacy Breaches

Privacy Policy. The Central Equity Group understands how highly people value the protection of their privacy.

How To Ensure Your Health Care Is Safe

Cloud-based File Sharing: Privacy and Security Tutorial Institutional Compliance Office July 2013

PCI Compliance Merchant User Guide

NAIC Replacement Requirements For Certain Life Insurance Policies And Annuity Contracts

Remote Working (Policy & Procedure)

COMPLIANCE WITH THE FEDERAL TRADE COMMISSION S SAFEGUARDS RULE

CORPORATE CREDIT CARD POLICY

Systems Support - Extended

RUTGERS POLICY. Responsible Executive: Vice President for Information Technology and Chief Information Officer

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

Internal Audit Charter and operating standards

Data Protection Act Data security breach management

ADMINISTRATION AND FINANCE POLICIES AND PROCEDURES TABLE OF CONTENTS

Unified Infrastructure/Organization Computer System/Software Use Policy

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

Kentwood Police Department 4742 Walma Ave SE Kentwood, Michigan (616) REPORTING IDENTITY THEFT

Multi-Year Accessibility Policy and Plan for NSF Canada and NSF International Strategic Registrations Canada Company,

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

Malpractice and Maladministration Policy

expertise hp services valupack consulting description security review service for Linux

Payment Card Industry (PCI) Qualified Integrators and Resellers

Wire Transfer Request

Electronic and Information Resources Accessibility Compliance Plan

Hillsborough Board of Education Acceptable Use Policy for Using the Hillsborough Township Public Schools Network

Christchurch Polytechnic Institute of Technology Access Control Security Standard

RQ10.06 AACo Share Trading Policy

Sources of Federal Government and Employee Information

We will record and prepare documents based off the information presented

In addition to assisting with the disaster planning process, it is hoped this document will also::

IMPLEMENTATION DETAILS

Technical Writing - TheUsers Visa (SHR User Accunt)

PAYMENT GATEWAY ACCOUNT SETUP FORM

How To Ensure That The Internet Is Safe For A Health Care Worker

Audit Committee Charter

Privacy Plicy Welcme, Sensati & JHI

FREQUENTLY ASKED QUESTIONS ON THE EUCOMED ETHICAL BUSINESS LOGO

Information Services Hosting Arrangements

State of California California Technology Agency. Software Management Plan Guidelines

Optimal Payments Extension. Supporting Documentation for the Extension Package v1.1

GUIDELINE INFORMATION MANAGEMENT (IM) PROGRAM PLAN

What Information Is Collected and How Is It Collected?

Electronic Data Interchange (EDI) Requirements

THIRD PARTY PROCUREMENT PROCEDURES

Merchant Processes and Procedures

EA-POL-015 Enterprise Architecture - Encryption Policy

Detroit Public Schools Policy Page 1

MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

HIPAA Notice of Privacy Practices. Central Ohio Surgical Associates, Inc.

State Fleet Card Oversight Usage and Responsibilities

Texas Woman's University University Policy Manual

Peratr Accreditatin and Services in Queensland

Frequently Asked Questions about the Faith A. Fields Nursing Scholarship Loan

Woodstock Multimedia, INC. Software/Hardware Usage Policy

TITLE: Supplier Contracting Guidelines Process: FIN_PS_PSG_050 Replaces: Manual Sections 6.4, 7.1, 7.5, 7.6, 7.11 Effective Date: 10/1/2014 Contents

NHVAS Mass Management Spot Check Checklist

IT Help Desk Service Level Expectations Revised: 01/09/2012

To clarify terms used within these policies, the following definitions are provided:

Change Management Process For [Project Name]

Online Banking Agreement

Chapter 7 Business Continuity and Risk Management

Privacy Breach and Complaint Protocol

CMS Eligibility Requirements Checklist for MSSP ACO Participation

Transcription:

VCU Payment Card Plicy Plicy Type: Administrative Respnsible Office: Treasury Services Initial Plicy Apprved: 12/05/2013 Current Revisin Apprved: 12/05/2013 Plicy Statement and Purpse The purpse f this plicy is t help ensure that VCU is (1), being a gd steward f persnal cardhlder infrmatin entrusted t it by its students, parents, dnrs, alumni, custmers and any individual r entity that utilizes a credit card t transact business with the university, (2), cmplying with the Payment Card Industry Data Security Standards (PCI DSS) and (3), striving t prevent unauthrized and inapprpriate use f cardhlders' infrmatin. VCU is cmmitted t cmplying with the PCI DSS by ensuring the secure handling f payment card infrmatin. All university merchants accepting payment cards are required t cmply with the PCI DSS and this plicy fr accepting and handling payment card transactins. Treasury Services and Technlgy Services have been assigned respnsibility fr assessing, determining, and mnitring cmpliance with these standards. As a result, respnsibility fr determining hw t apply these standards and fr assessing deficiencies is shared amng these named areas. Treasury Services will prvide directin and assistance n business prcesses related t card peratins and Technlgy Services will prvide directin and assist with technical implementatin and security issues. Nncmpliance with this plicy may result in disciplinary actin up t and including terminatin. VCU supprts an envirnment free frm retaliatin. Retaliatin against any emplyee wh brings frth a gd faith cncern, asks a clarifying questin, r participates in an investigatin is prhibited. Table f Cntents Wh Shuld Knw This Plicy 2 Definitins 2 Cntacts 2 Prcedures 3 Frms 5 Related Dcuments 5 Revisin Histry 5 FAQs 6 VCU Payment Card Plicy - 1 - Apprved: 12/05/2013

Wh Shuld Knw This Plicy VCU faculty, staff, students, cntractrs and third party vendrs that cllect, maintain r have access t payment card infrmatin are respnsible fr knwing this plicy and familiarizing themselves with its cntents and prvisins. Definitins Apprved Scanning Vendr An Apprved Scanning Vendr (ASV) is an rganizatin that validates adherence t certain PCI-DSS requirements by perfrming vulnerability scans f Internet facing envirnments f merchants and service prviders. The PCI cuncil has apprved ver 130 ASVs. Cardhlder Data The Primary Accunt Number (PAN) alne r the PAN plus any f the fllwing: full magnetic stripe infrmatin, cardhlder name, service cde r expiratin date. Merchant Any entity that accepts payment cards as payment fr gds and/r services. Merchant Accunt A relatinship set up by Treasury Services thrugh the bank and a credit card prcessr in rder t prcess payment cards as payment fr gds r services rendered by the accunt hlder. The merchant accunt is tied t a Banner index t distribute funds apprpriately t the merchant (wner) fr which the accunt was set up. Payment Card Credit cards, debit cards r charge cards issued by a financial institutin. PCI-DSS Payment Card Industry Data Security Standard is a set f cmprehensive requirements fr enhancing payment card data security. Cmpliance with the PCI DSS helps t alleviate vulnerabilities that put cardhlder data at risk. Service Prvider Any cmpany that stres, prcesses r transmits cardhlder data n behalf f anther entity is defined t be a service Prvider by the Payment Card Industry (PCI) guidelines. Third Party Prcessr A cmpany that ffers Payment Card prcessing sftware and/r gateway services. All Third Party Prcessrs must be PCI DSS Cmpliant in rder fr a department t btain r maintain a merchant accunt. Cntacts Treasury Services and Technlgy Services are respnsible fr this plicy. Treasury Services is respnsible fr btaining apprval fr any revisins as required by the plicy Creating and Maintaining VCU Payment Card Plicy - 2 - Apprved: 12/05/2013

Plicies and Prcedures thrugh the apprpriate gvernance structures. Please direct plicy questins t Treasury Services. Technical security questins shuld be directed t Technlgy Services. Prcedures University departments must request and receive apprval frm Treasury Services prir t accepting payment cards. Treasury Services will assist departments in establishing prcesses and apprpriate cntrls thrugh n-line training. *All university departments that prcess payment card transactins fr gds and services are deemed t be merchants under the PCI DSS*. Third party vendrs (prcessrs, sftware prviders, payment gateways, r ther gds r service prviders) wh accept credit card transactins n behalf f the University must cntractually agree t: (1) adhere t all applicable requirements in PCI DSS, (2) be liable fr the security f the cardhlder data, (3) ntify the University f any breaches r intrusins within 72 hurs f discvery, and (4) peridic infrmatin security reviews by the University. Detailed prcedural steps are prvided belw t ensure full cmpliance. 1. Cmpliance with PCI DSS Standards Departments accepting payment cards are expected t adhere t these standards which are updated peridically and t verify the cmpliance f third party service prviders. The standards can be summarized as fllws: Build and Maintain a Secure Netwrk Prtect Cardhlder data Maintain a Vulnerability Management Prgram Implement Strng Access Cntrl Measures Regularly Mnitr and Test Netwrks Maintain an Infrmatin Security Plicy The university prhibits electrnic strage f cardhlder data because f the additinal risks assciated with prtecting the stred data. Requirements apply t departments that cllect card infrmatin in any frmat fr prcessing. Paper recrds cntaining payment card infrmatin must be destryed in accrdance with the PCI DSS and Library f Virginia s Recrd Retentin Schedule. Departments shall agree t frward necessary system and netwrk lg infrmatin frm its payment card systems and assciated netwrk devices t security mnitring tls managed by Technlgy Services fr detectin and preventin f threats targeting these systems. Departments shall als agree t allw peridic security scans and testing f its payment card systems by bth Technlgy Services and selected Apprved Scanning Vendr. Further, if applicable, with guidance frm Treasury Services and Technlgy Services, departments are respnsible fr the cmpletin f an annual Self-Assessment Questinnaire (SAQ) as required by PCI DSS. 2. Payment Card Acceptance VCU Payment Card Plicy - 3 - Apprved: 12/05/2013

Any entity that accepts payment cards as payment fr gds and/r services is a merchant. Once merchant accunts are enabled fr a department, the department has an nging respnsibility t understand security requirements, cmply with PCI DSS standards, and t maintain prper business practices as described further in varius prcedures and guidelines assciated with this plicy. Annually, individuals must be trained in the prper handling f payment card infrmatin and must cmplete the Respnsibilities f Credit Card Handlers and Prcessrs frm. Access t payment card data by university emplyees must be limited t thse individuals with a business need. Emplyees must have a unique lgin identificatin and passwrd t access cmputer systems r prgrams that cntain payment card infrmatin t ensure individual accuntability. Vendrsupplied defaults fr system passwrds and ther security parameters are nt t be used. Departments are respnsible fr paying all fees and ther csts assciated with accepting payment cards including equipment and technlgy csts, banking fees, and external security assessment fees as required by PCI DSS. 3. Use f Third Party Sftware Only University apprved cmpliant e-cmmerce applicatins may be used. Departments whse needs cannt be met due t the list f pre-apprved sftware applicatins that are PCI DSS cmpliant must request prir apprval frm Treasury Services and Technlgy Services befre cnsidering r acquiring third party slutins. Third party prcessrs must prvide prf f PCI DSS cmpliance n an annual basis t Treasury Services. 4. Secure Transmissins T ensure that prper business practices and security are maintained, nly secure and apprved prcesses are cnducted thrugh apprved web vendrs, analg telephne lines fr pint f sale terminals and/r PCI cmpliant IP credit card terminals. Any unapprved prcesses, including email, are nt allwed t transmit r stre payment card infrmatin. 5. Security Breaches All knwn r suspected security breaches f cardhlder infrmatin must be reprted immediately t the department head, Treasury Services at 828-6533 and the Technlgy Services Infrmatin Security Office via the VCU Help Desk at 828-2227. Departments must cperate fully with any resulting investigatin. 6. Sanctins fr Nn-Cmpliance University departments that transact business using payment cards in a manner that deviates frm this plicy are subject t varius financial and ther sanctins. These may include terminatin f merchant accunts, financial penalties and csts assciated with a security breach, penalties and csts assciated with bringing a nn-cmpliant applicatin int cmpliance, and/r pssible disciplinary actin f the individual invlved up t and including terminatin f emplyment. VCU Payment Card Plicy - 4 - Apprved: 12/05/2013

Frms 1. Respnsibilities f Credit Card Handlers (http://www.vcu.edu/treasury/ccrespnsibilities.pdf) 2. Request fr a New Merchant Accunt (Jessica has this frm, and it is nt a live URL yet, but she has given me the frm) Related Dcuments 1. Payment Card Industry Data Security Standard (https://www.pcisecuritystandards.rg/) 2. Credit Card Merchant Accunts (http://www.vcu.edu/treasury/creditcardmerchantaccunt.htm) 3. University Cash Receipting Plicies and Prcedures (http://www.vcu.edu/treasury/cashieringoperatinsguidelines.htm) 4. Infrmatin Security Plicy (http://ts.vcu.edu/askit/3408.html) 5. Recrds Management (http://ts.vcu.edu/askit/1947.html) 6. Cmputer and Netwrk Resurces Use Plicy (http://www.ts.vcu.edu/askit/3409.html) Revisin Histry Nne New Plicy FAQs 1. T whm des PCI apply? PCI applies t all university departments that accept, transmit r stre any cardhlder data regardless f size r number f transactins. 2. Wh set the standards? The standards are set by the PCI Security Standards Cuncil. The PCI Cuncil was created in 2006 t align the separate security prgrams and standards f majr card prgrams; American Express, Discver Financial Services, JCB, MasterCard Wrldwide and VISA Internatinal. 3. What cnstitutes a payment applicatin? A payment applicatin is anything that stres, prcesses r transmits card data electrnically. This means that anything frm a Pint f Sale System (swipe terminals) t a web e-cmmerce site are VCU Payment Card Plicy - 5 - Apprved: 12/05/2013

all classified as payment applicatins. Any piece f sftware that has been designed t tuch payment card data is cnsidered a payment applicatin. 4. What are the csts f nn-cmpliance with PCI DSS? The cst f nn-cmpliance will result primarily frm a security breach if cardhlder infrmatin is cmprmised. These csts may include: Ntifying affected cardhlders Paying fr credit mnitring fr the affected parties Paying fr unauthrized charges Implementing needed hardware r sftware upgrades t cmply with a higher level f security that wuld be required pst-breach Fines frm credit card cmpanies and PCI cuncil Litigatin frm cardhlders, vendrs r credit card cmpanies Unfavrable publicity Damage t VCU s reputatin Temprary r permanent lss f ability t prcess payment cards 5. Hw d payment card security breaches happen? Types f Breaches: Hacking int netwrked cmputers Lss f stlen PCs, Media Imprper dispsal f recrds (paper recrds nt shredded r prperly dispsed) Intentinal disclsure r fraud Unintentinal disclsure due t human errr Surces f Breaches: Imprper strage f data Insecure applicatins Inadequate netwrk security cntrls Unpatched systems and/r default cnfiguratin Insecure wireless access pints Use f default passwrds N intrusin mnitring Unsecured pint f sale technlgy Malicius Insider VCU Payment Card Plicy - 6 - Apprved: 12/05/2013

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information