UNT Payment Card Merchant Handbk University f Nrth Texas January 2014 Vlume 4, Issue 1 STUDENT ACCOUNTING & UNIVERSITY CASHIERING SERVICES
Cntents The Purpse f the Handbk...1 General Overview...2 Hw des ur department accept credit cards nline?...3 Hw will UNT cmply with PCI DSS?...6 Hw will UNT Cmply with PCI DSS cntinued...7 What is my Validatin Type?...8 Respnsibility f the Dept ID/ Prj ID Hlder... 11 Respnsibility f Dept. ID/Prj ID... 13 And Department Designee... 13 Segregatin f Duties... 14 Cardhlder Data Cmprmised... 15 Nn-Cmpliant UNT Merchant... 16 Prtecting Cardhlder data... 18 Payment Card Prcessing... 20 -e Cmmerce Transactins... 20 Cmmerce Manager... 21 Disputes/Chargebacks... 21 Payment Card Depsits... 22 Payment Card Refunds... 22 Payment Card Sanctins... 23 Handuts/Reference websites... 25
The Purpse f the Handbk The UNT Payment Card Merchant Handbk cntains guidelines and plicies fr UNT Payment Card Merchants. Departments that accept payment card payments shuld becme familiar with the guidelines and plicies listed with this handbk. Each UNT Merchant must be PCI DSS cmpliant. Wrking with their Departmental Netwrk Manager, CITC Security Team and Student Accunting and University Cashiering Services, each department will be able t cmplete the apprpriate questinnaire and scan, if required, in rder t attain cmpliance. This cmpliance must be renewed yearly. The UNT Payment Card Merchant Handbk and the yearly training will be updated as new requirements and changes ccur. This handbk and the annual training shuld be cnsidered a guide fr learning best practices fr the university. 1
General Overview Student Accunting and University Cashiering Services is respnsible fr managing all aspects f establishing payment card merchants n campus and the prcessing f payment card transactins. See UNT Plicy 2.2.31 http://www.unt.edu/plicy/unt_plicy/vlume2/2_2_31.ht ml Hw d I accept credit card n campus? Befre determining if accepting credit cards is practical fr yur department, we encurage departments t ask themselves the fllwing questins: What type f resurces d I need? What can ur ffice d t get ready fr ecmmerce? Hw much technical effrts will there be? Will accepting credit cards as a frm f payment add any value/revenue t my prject? If an UNT Department wants t accept credit cards as a frm f payment, they must cntact the Student Accunting and University Cashiering Services fr apprval. The department will be required t cmplete a User Feasibility Questinnaire. The department may btain the questinnaire by submitting a request t the Cashier Area Supervisr f Student Accunting and University Cashiering Service at pam.jhnsn@unt.edu. 2
Hw des my department accept credit cards nline? Student Accunting has cntracted with Nelnet Business Slutins t ffer an ecmmerce slutin that wuld be cst effective fr departments and at the same time ensure PCI DSS cmpliance. Cmmerce Manager is a web-based payment system designed t hst multiple departments. Cmmerce Manager allws individual departments acrss campus t cnduct business and accept payments nline while maintaining central cntrl f accunting and security. If the department is cnsidering an ecmmerce slutin, yur netwrk supprt and/r web develper will be respnsible fr develping the department s webpage. Belw is sme basic technical infrmatin ur Student Financial Technical Team put tgether t assist the department s web develper. T use ecmmerce Manager, there are 3 actins that are f interest t the develper: Authenticatin t the Nelnet website Handling the results f the transactin at the Nelnet website Handling the Nelnet End f Day File fr recnciliatin r reprting needs The PCI Security Standards Cuncil ("PCI SSC") wns, maintains and distributes the PCI Data Security Standard (DSS) and all its supprting dcuments. PCI DSS is a set f cmprehensive requirements fr enhancing payment accunt data security; develped by the funding payment brands f the PCI Security Standards Cuncil, including American Express, Discver Financial Services, JCB Internatinal, MasterCard Wrldwide, and Visa Inc. Internatinal, t help facilitate the brad adptin f cnsistent data security measures n a glbal basis. Merchant cmpliance validatin has been priritized based n the vlume f transactins, the ptential risk, and the expsure intrduced int the payment system. All merchants (departments) will fall int ne f the fur merchant levels based n VISA transactin vlume ver a 12-mnth perid. 3
Level/Tier¹ Merchant Criteria Validatin Requirements 1 Merchants prcessing ver 6 millin Visa transactins annually (all channels) r Glbal merchants identified as Level 1 by any Visa regin² *Annual Reprt n Cmpliance ( ROC ) by *Qualified Security Assessr ( QSA ) Quarterly netwrk scan by *Apprved Scan Vendr ( ASV ) *Attestatin f Cmpliance Frm Merchants prcessing 1 millin t 6 millin Visa transactins annually (all channels) 2 *Annual Self-Assessment Questinnaire ( SAQ ) *Quartely netwrk scan by ASV *Attestin f Cmpliance Frm Merchants prcessing 20,000 t 1 millin Visa e-cmmerce transactins 3 annually Merchants prcessing less than 20,000 Visa e-cmmerce transactins annually and all ther merchants prcessing up t 1 millin Visa 4 transactins annually *Annual SAQ *Quarterly netwrk scan by ASV *Attestatin f Cmpiance Frm *Annual SAQ recmmended *Quarterly netwrk scan by ASV if applicable * Cmpliance validatin requirements set by acquirer ¹- Cmprised entries may be escalated at reginal discretin ²-Merchant meeting Level 1 criteria in any Visa cuntry/regin that perates in mre than ne cuntry/regin is cnsidered a glbal Level 1 Fllwing PCI DSS requirements is critical and can assist in preventing a security breach. If payment card data is cmprmised and the university is ut f cmpliance with PCI DSS, the university culd be respnsible fr significant fines, the cst f re-issuing all cards assciated with the cmprmise and permanently prhibited frm prcessing payment cards. It is the respnsibility f Student Accunting and University Cashiering Services t prvide UNT merchants the infrmatin required t remain cmpliant with PCI DSS. Hwever, it is the respnsibility f the Dept. ID/Prj ID hlder t insure their department is fllwing the established plicies and prcedures. Student Accunting and University Cashiering Services will prvide annual training t insure departments receive the current infrmatin fr PCI cmpliance. Student Accunting and University Cashiering Department Dept ID/Prj ID hlder Dept. persnnel Dept. Netwrk manager PCI DSS Cmpliance CITC Security 4
The cre f the PCI DSS is a grup f principles and accmpanying requirements, arund which the specific elements f the DSS are rganized: PCI Data Security Standard Build and Maintain a Secure Netwrk 1. Install and maintain a firewall cnfiguratin t prtect data 2. D nt use vendr-supplied defaults fr system passwrds and ther security parameters Prtect Cardhlder Data 3. Prtect stred data Encrypt transmissin f cardhlder data and sensitive infrmatin acrss public netwrks 4. Encrypt transmissin f cardhlder data acrss pen, public netwrks Maintain a Vulnerability Management Prgram 5. Use and regularly update anti-virus sftware 6. Develp and maintain secure systems and applicatins Implement Strng Access Cntrl Measures 7. Restrict access t data by business need-t-knw 8. Assign a unique ID t each persn with cmputer access 9. Restrict physical access t cardhlder data Regularly Mnitr and Test Netwrks 10. Track and mnitr all access t netwrk resurces and cardhlder data 11. Regularly test security systems and prcesses Maintain an Infrmatin Security Plicy 12. Maintain a plicy that addresses infrmatin security *Surce: Security Standards Cuncil 5
Hw will UNT cmply with PCI DSS? Self-Assessment Questinnaires are based upn SAQ Validatin Type (see chart belw) A B C-VT Card-nt-present (ecmmerce r mail/telephne-rder) merchants, all cardhlder data functins utsurced. This wuld never apply t face-t-face merchants Imprint-nly merchants with n electrnic cardhlder data strage, r standalne, dial-ut terminal merchants with n electrnic data strage Merchants using nly web-based virtual terminals, n electrnic cardhlder data strage Merchants with payment applicatin systems cnnected t C the Internet, n electrnic cardhlder data strage All ther merchants (nt included in descriptins fr SAQs A- D C abve) and all service prviders defined by a payment brand as eligible t cmplete an SAQ *Surce: Security Standards Cuncil 6
Hw will UNT Cmply with PCI DSS cntinued Attend annual training. Cmplete apprpriate Self-Assessment Questinnaire (SAQ). If required cmplete internal netwrk scan with CITC. Make any crrectins recmmended frm internal scan prir t scheduling independent scan. Cmplete netwrk scan by an independent third party vendr, if required. UNT has cntracted with Campus Guard t prvide the scan and t prvide assistance in achieving cmpliance. Cmplete penetratin test by qualified internal staff r an independent third party vendr, if required. Enfrce the use f Nelnet s QuikPay r ther prduct fr ecmmerce transactins and use hardware and sftware that is PCI DSS cmpliant. Cllabrate with Student Accunting, CITC Security and Internal Audit t ensure cmpliance. 7
What is my Validatin Type? SAQ A (11-questin questinnaire): SAQ A merchants d nt stre data n their systems r premises. Yur lcatin (department): accepts nly card-nt-present transactins e-cmmerce r mail/telephne-rder Des nt stre, prcess r transmit any cardhlder data n yur systems r premises, but relies entirely n a third party t hand all these functins. Has cnfirmed the third party(s) handling strage, prcessing and/r transmissin f cardhlder data is PCI cmpliant. Retains nly paper reprts and/r paper receipts with cardhlder data and these dcuments are nt received electrnically; and des nt stre any cardhlder data in electrnically frmat This ptin wuld never apply t merchants with face-t-face POS envirnment. SAQ B (29-questin questinnaire): SAQ B merchants are nly imprint machines r nly standalne, dial-ut terminals. N Electrnic Cardhlder Data Strage. Yur lcatin (department): Uses nly an imprint machine and/r uses nly standalne, dialut terminal (cnnected via a phne line t yur prcessr) t take yur custmers payment card infrmatin. The standalne, dial-ut terminal(s) are nt cnnected t any ther system within yur envirnment. The standalne, dial-ut terminal(s) are nt cnnected t the Internet Des nt transmit cardhlder data ver a netwrk (either an internal netwrk r the Internet) Retains nly paper reprts and/r paper receipts, nt received electrnically; and Des nt stre cardhlder data in electrnic frmat. r 8
SAQ C-VT (51-questin questinnaire): SAQ C-VT merchants are web-based virtual terminals, n electrnic cardhlder data strage. Yur lcatin (department): Only payment prcessing is dne via a virtual terminal accessed by an Internet-cnnected web brwser. Virtual terminal slutin is prvided and hsted by a PCI DSS validated third-party service prvider. Accesses the PCI DSS cmpliant virtual terminal slutin via a cmputer that is islated in a single lcatin, and is nt cnnected t ther lcatins r systems within yur envirnment (this can be achieved via a firewall r netwrk segmentatin t islate the cmputer frm ther systems). Des nt have sftware installed that causes cardhlder data t be stred. (fr example, there is n sftware fr batch prcessing r stred-and-frward) Des nt have any attached hardware devices that are used t capture r stre cardhlder data (fr example, there are n card readers attached) Des nt therwise receive r transmit cardhlder data electrnically thrugh any channels (fr example, via an internal netwrk r the Internet) Retains nly paper reprts and/r paper receipts, nt received electrnically; and Des nt stre any cardhlder data in electrnic frmat. 9
SAQ C (80-questin questinnaire): SAQ C merchants have payment applicatin systems cnnected t the Internet, n electrnic cardhlder data strage. Yur lcatin (department): Has a payment applicatin system and an Internet cnnectin n the same device and/r same lcal area netwrk (LAN). The payment applicatin system/internet device is nt cnnected t any ther system within yur envirnment (this can be achieved via netwrk segmentatin t islate payment applicatin system/internet device frm all ther systems) Is nt cnnected t ther lcatins and any LAN is fr a single stre nly Retains nly paper reprts and/r receipts, nt received electrnically; Des nt stre cardhlder data in electrnic frmat; and Payment applicatin sftware vendr uses secure techniques t remte supprt t the payment applicatin system. SAQ D (286-questin questinnaire): SAQ D merchants d nt meet the descriptins f SAQ A thrugh C, describe abve. While many f the rganizatin cmpleting SAQ D will need t validate cmpliance with every PCI DSS requirement, sme rganizatins with very specific business mdels may find that sme f the requirements d nt apply. Fr example, a cmpany that des nt use wireless technlgy in any capacity wuld nt be expected t validate cmpliance with the sectins f the PCI DSS that are specific t managing wireless technlgy. 10
Respnsibility f the Dept ID/ Prj ID Hlder The department designee must cmply with UNT Plicy and Prcedures in regards t Payment Card Industry Data Security Standard (PCI DSS) requirements. See 2.2.31 http://www.unt.edu/plicy/unt_plicy/vlume2/2_2_31.html. The Dept ID/Prj ID hlder alng with their departmental netwrk manager is respnsible fr cmpleting a Self- Assessment Questinnaire (SAQ) and an Attestatin f Cmpliance annually. The PCI Self-Assessment Questinnaire is an imprtant validatin tl that will be used by merchants t demnstrate cmpliance with PCI DSS. UNT has cntracted with Campus Guard t prvide the questinnaire nline at www.campus Guard.net. The Attestatin f Cmpliance certifies the accuracy f the infrmatin prvided n the questinnaire. After cmpleting and passing the questinnaire, the department will wrk with their netwrk manager and UNT CITC Security Team t determine if an internal scan is needed fr each lcatin (department). Any issues will need t be addressed prir t scheduling the security scan frm a third party vendr. PCI Data Security Standard (PCI DSS) may require a security scan fr merchants t help validate cmpliance with PCI DSS. PCI Data Security Standard (PCI DSS) requires all Internet-facing IP address in the cardhlder data envirnment t be scanned fr vulnerabilities. T cmply with the PCI Security Scanning requirement, merchants must have their web sites r 11
IT infrastructures with Internet facing IP addresses in the cardhlder data envirnment scanned. Third-party security assessr will perfrm external scans at least every three mnths. Annual penetratin testing cmpleted by third-party security assessr. The Dept ID/Prj ID hlder will be respnsible t ensure their lcatin (merchant) is fllwing the University payment card guidelines including PCI Data Security Standard (PCI DSS) requirements. The Dept ID/Prj ID hlder will be respnsible t reprt persnnel changes (emplyees wh prcess r recncile payment card transactins) immediately in their department t the UNT ITs Security Office and the Cashier Area Supervisr in Student Accunting and University Cashiering Services. The Dept ID/Prj ID hlder must get apprval frm the Student Accunting and University Cashiering Services befre purchasing any new equipment and/r sftware related t credit card prcessing. Departmental merchants are required t cmplete annual training and sign a security agreement cnfirming the department (merchant) is fllwing the PCI Data Security Standard (PCI DSS) requirements fr safeguarding cardhlder data. The Dept ID/Prj ID hlder and any Department Designee are required cmplete the training and sign the agreement. 12
Respnsibility f Dept. ID/Prj ID And Department Designee The department designee must cmply with UNT Plicy and Prcedures in regards t Payment Card Industry Data Security Standard (PCI DSS) requirements. See 2.2.31 http://www.unt.edu/plicy/unt_plicy/vlume2/2_2_31.html All cardhlder data, including dcumentatin, must be stred in a secure area at all times. The cardhlder data shall nt be printed n receipts. Insure payment card data is nt dwnladed r stred n a cmputer r netwrk within the department. D nt share lgin names and passwrds t systems that access payment card data. Keep duties that are related t payment card prcessing segregated fr accuntability. The emplyee wh prcesses the payment card transactin shuld balance their daily activity; hwever, a different emplyee shuld be respnsible fr recnciling the activity each mnth. If suspected cmprmise f cardhlder data, department designee shuld infrm the Dept ID/Prj ID hlder t ensure the department s netwrk manager, CITC Infrmatin and Security Team, Internal Audit and the Cashier Area Supervisr f Student Accunting and University Cashiering Services are cntacted immediately. Emplyee shuld nt d anything else n the suspected cmprised wrkstatin. Until CITC security advises, the netwrk cable shuld be unplugged frm the wrkstatin in questin. Dept ID/Prj ID hlder and any department designee are respnsible fr cmpleting annual credit card merchant training ffered thrugh Student Accunting and University Cashiering Services. Dept ID/Prj ID hlder and department designee are respnsible fr ntifying Student Accunting and University Cashiering Services prir t any changes/upgrades t equipment and/r sftware used t prcess credit card transactins. The Dept ID/Prj ID hlder and the department designee must get apprval frm the Student Accunting and University Cashiering Services befre purchasing any new equipment and/r sftware related t credit card prcessing. 13
Segregatin f Duties The Dept. ID/Prj ID hlder is respnsible fr departmental segregatin f duties. Any individual wh prcesses payment card transactins shuld nt be invlved with the mnthly recnciliatin. Recnciliatin- A thrugh recnciliatin f payment card transactin wuld include the fllwing dcumentatin: The reprts generated frm the payment card terminal, YurPay r QuikPay shuld be recnciled t department s internal receipts daily r when transactins have been prcessed. The reprts generated frm the payment card terminal, YurPay r QuikPay shuld be recnciled t the accunting entries generated in the Financial Reprting Office and t the Departmental Management Budget Reprt. Access t the Departmental Management Budget Reprt is available at my.unt.edu fr mnthly recnciliatin. 14
Cardhlder Data Cmprmised If cardhlder data fr which yu are respnsible is cmprmised, the university may be subject t the fllwing liabilities and fines assciated with each instance f nn-cmpliance: Ptential fines f up t $500,000 (in the discretin f Visa and MasterCard). All fraud lsses incurred frm the use f the cmprmised accunt numbers frm the date f the cmprmise ging frward. The cst f re-issuing all cards assciated with the cmprmise. The cst f any additinal fraud preventin/detectin activities required by the card assciatins (i.e. a frensic audit) r cst incurred by payment card issuers assciated with the cmprmise (i.e. additinal mnitring f system fr fraudulent activity). Becme permanently prhibited frm prcessing payment card transactins. Mst imprtant: The University s reputatin (brand) is damaged. If suspected cardhlder data cmprmised, the Dept ID/Prj ID r departmental designee shuld immediately cntact their netwrk manager, CITC Infrmatin Security Team, Internal Audit and the Cashier Area Supervisr in Student Accunting and University Cashiering Services. The department (merchant) must prvide any materials r recrds that cntain cardhlder data if a breach is suspected r cnfirmed. D nt lg int wrkstatin/cmputer f suspected cmprise. 15
Nn-Cmpliant UNT Merchant If a merchant is fund t be nn-cmpliant with PCI DSS, UNT Plicy fr accepting credit card and/r UNT established best practices, Student Accunting and University Cashiering Services with the assistance f CITC Security may require the nn-cmpliant merchant t cease acceptance f credit cards immediately. Any nn-cmpliant website and any nncmpliant pint-f-sale lcatins will be required t cease peratin until deemed cmpliant. It is the respnsibility f the merchant t wrk with Student Accunting, CITC Security and their Netwrk Manager t becme cmpliant. After CITC and Student Accunting have verified cmpliance, the merchant will be allwed t resume credit card activities 16
Educatinal institutins are disprprtinately vulnerable t security breaches. Higher Educatin is cnsistently in the tp 2 Surce: Privacy Rights Clearinghuse 2005-2009 17
Prtecting Cardhlder data Payment card payment infrmatin shuld be kept secured and cnfidential at all times. Cardhlder data shuld be secured in a lcked safe r file cabinet. The area designated t stre cardhlder data shuld be restricted t the Dept ID/Prj ID hlder and/r any department designee respnsible fr prcessing r researching a transactin. Any payment card pint f sale terminal shuld be placed in a secure area t prevent access t data within the terminal. Access t payment card data shuld be restricted t thse individuals whse jb requires such access. The custmer and merchant receipt (as well as any ther frm that may cntain cardhlder data) shuld nly display the last fur digits f the accunt number. Pin pads r any magnetic strip readers shuld nt be attached t a payment card terminal r cmputer. Security track data may nt be stred in any device used fr payment card prcessing. Security data/track is defined as the data elements stred within the magnetic stripe n the back f a card, as well as the cardhlder validatin cde (the three r fur digit value printed n the signature panel f the card). The infrmatin includes all the data required t cmmit fraud n a cardhlder s accunt. Payment card payment infrmatin cannt be stred n cmputers r netwrks, regardless f encryptin. Cardhlder data must be transmitted and received in a secure manner. If yur department received payment card payment infrmatin by a secure fax and/r mail, all digits f the card number except the last fur, must be remved befre retaining fr yur recrds. Cardhlder data must nt be sent t a fax applicatin with an IP address. 18
Fax machines must be in secured area (rm with a lcking dr) with n thrugh traffic and with limited access. Cardhlder data must nt be received by email. Payment card receipts shuld be stred accrding t UNT s recrd retentin schedule. All receipts must be shredded after that time. Currently, UNT retentin schedule is 3 years plus fiscal year. http://www.unt.edu/cmpliance/recrdsretentin.shtml see Series Item # 4.2.002, number 44, Cash Receipts. 19
Payment Card Prcessing -e Cmmerce Transactins Departmental merchants that prcess payment card transactins using a web-based prduct must fllw additinal guidelines t be cmpliant with PCI DSS requirements. A department interested in prcessing payment card transactins with a web-based prduct (ecmmerce) must cntact the Cashier Area Supervisr in Student Accunting and University Cashiering Services befre purchasing and/r cntracting with vendr. ecmmerce is defined as cnducting business cmmunicatins and transactins ver netwrks and thrugh cmputers. Student Accunting maintains a partnership with NelNet/QuikPay as the University s ecmmerce (nline payment prvider). QuikPay is certified cmpliant with PCI DSS requirements. Payment card payment infrmatin is cllected at QuikPay s website and prcessed fr authrizatin. Cardhlder data is nt transmitted ver the university netwrk. Fr smaller departments*, Student Accunting and University Cashiering Services ffers a Nelnet prduct called Cmmerce Manager (see Cmmerce Manager belw) *Department will have t apply fr this service Wells Farg, ur acquiring bank, is the payment card prcessr fr the university. As the payment card prcessr, Wells Farg assists with equipment recmmendatins t ensure the University is using PCI DSS cmpliant hardware and sftware. Any changes in technlgy related t payment card prcessing in yur ffice shuld be reprted t the Cashier Area Supervisr in Student Accunting and University Cashiering Services prir t implementing the change/upgrade. 20
Cmmerce Manager Cmmerce Manager is a web-based payment system designed t hst multiple departments. Cmmerce Manager allws individual departments acrss campus t cnduct business and accept payments nline while maintaining central cntrl f accunting and security. Belw is sme basic technical infrmatin the Student Financial Technical Team put tgether t assist departments. T use Cmmerce Manager, there are 3 actins that are f interest t the develper: Authenticatin t the Nelnet website Handling the results f the transactin at the Nelnet website Handling the Nelnet End Of Day File fr recnciliatin r reprting needs If a department is interested in using Cmmerce Manager, they shuld email the Cashier Area Supervisr at pam.jhnsn@unt.edu in the Student Accunting and University Cashiering Services Office. Disputes/Chargebacks Disputes/chargebacks frm cardhlders will be sent directly t Student Accunting and University Cashiering Services. The infrmatin will be frwarded t the department designated cntact emplyee. A reply and all supprt dcumentatin must be returned in writing within tw (2) wrking days. Supprted dcumentatin will include a signed sales receipt and/r signed written authrizatin frm the cardhlder and/r their authrized user. It is the merchants respnsibility t maintain all dcumentatin n credit card transactins. Any questins regarding disputes/chargebacks shuld be directed t Student Accunting and University Cashiering Services. The Dept ID/Prj ID will be charged back fr a dispute/chargeback if the departmental representative des nt prvide the supprt dcumentatin fr the transactin in questin by the requested time. 21
Payment Card Depsits All payment card transactins fr sales and services prvided by the University must be depsited t a university dept ID r prj ID. UNT Financial Reprting will generate the accunting entry that credits the dept ID/ prj ID fr payment card sales. Each payment card merchant determines which dept ID/prj ID will receive the credit fr the depsit. Cntact UNT Financial Reprting (ext. 4875) t have funds allcated t anther dept ID/prj ID r split amng several dept ID/prj ID s. The department shuld verify all credit card transactins are depsited accurately by reviewing the daily detail transactin reprts prduced frm EIS mnthly. Payment Card Refunds Any refunds shuld be returned t the surce f payment, therefre, credit card refunds shuld be returned t the credit card. 22
Payment Card Sanctins The fllwing sanctins will apply t any UNT Merchants wh fails t cmplete the annual required training, self-assessment questins and netwrk scan, if necessary. A mnth in advance f expiratin, a ntice will be sent by the Cashier Area Supervisr t the Dept Id hlder, department designated emplyee, and technical supprt indicating that the required SAQ must be cmpleted by the specified deadline. The Assistant Directr f Operatins f SAUCS will be cpied n this email. A week prir t the expiratin, a reminder will be sent by the Assistant Directr f Operatins t the Dept ID hlder, Dept ID supervisr, Department Chair, Department Dean, department designated emplyee, and the technical supprt including the first ntice and stressing the imprtance f cmpleting the required SAQ, cmpleting required scans (if needed) and r required training befre the stated deadline. The Directr f SAUCS will be cpied n this email. A week after the cmpliance deadline has expired; the Assistant Directr will send a secnd ntice t the Dept ID hlder stressing the critical need t cmplete requirements fr cmpliance. The Directr f SAUCS, Dept ID supervisr, Department Chair, Department Dean, the Department s Vice President, the Assciate Vice President f Finance/Administratin, Cntrller, Vice President f Finance/Administratin, Internal Audit and the CITC Security Team will be cpied n this email. Tw weeks after the third ntice, the Directr f SAUCS will send a ntice indicating that access t take credit cards will be terminated if actin twards 23
cmpliance is nt achieved. The Dept ID supervisr, the Department Chair, the Department Dean, the Department s Vice President, the Assciate Vice President f Finance/Administratin, Cntrller, the Vice President f Finance/Administratin, Internal Audit and the CITC Security Team will be cpied n this email, as well as the UNT System Cmpliance Officer will be cpied. If cmpliance is nt achieved after the previus ntices, the Directr f SAUCS will instruct the Assistant Directr f Operatins and Cashier Area Supervisr t cntact either CITC Security Team and/r Wells Farg Merchant Services t begin the terminatin prcess, depending upn which type f equipment is used by the department. Reinstatement f services will ccur after PCI DSS cmpliance has been achieved. NOTE: If there are extenuating circumstances and/r the department is wrking twards cmpliance, there will be an exceptin fr administrative review by the Assciate Vice President f Finance/Administratin, Cntrller r Vice President f Finance/Administratin. 24
Handuts/Reference websites Payment Card Industry (PCI) Data Security Standard https://www.pcisecuritystandards.rg Apprved Cmpanies & Prviders (PA-DSS) https://www.pcisecuritystandards.rg/apprved_cmp anies_prviders/index.php Treasury Institute fr Higher Educatin http://www.treasuryinstitute.rg Privacy Rights Clearinghuse http://www.privacyrights.rg/ 25