2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

Similar documents
Credit Card Handling Security Standards

Information Technology

Appendix 1 Payment Card Industry Data Security Standards Program

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Payment Card Industry Compliance

Accepting Payment Cards and ecommerce Payments

TERMINAL CONTROL MEASURES

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

Standards for Business Processes, Paper and Electronic Processing

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

CAL POLY POMONA FOUNDATION. Policy for Accepting Payment (Credit) Card and Ecommerce Payments

Viterbo University Credit Card Processing & Data Security Procedures and Policy

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Dartmouth College Merchant Credit Card Policy for Processors

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

POLICY SECTION 509: Electronic Financial Transaction Procedures

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

policy D Reaffirmation of existing policy

CREDIT CARD PROCESSING POLICY AND PROCEDURES

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

Payment Card Acceptance Administrative Policy

University of Virginia Credit Card Requirements

SAN DIEGO STATE UNIVERSITY RESEARCH FOUNDATION CREDIT CARD PROCESSING & SECURITY POLICY MERCHANT SERVICES POLICIES & PROCEDURES

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

COLLEGE POLICY ON CREDIT/DEBIT CARD PAYMENT PROCESSING

Information Security Policy

University of Sunderland Business Assurance PCI Security Policy

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

. Merchant Accounts are special bank accounts issued by a merchant. . Merchant Level: This classification is based on transaction volume.

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Josiah Wilkinson Internal Security Assessor. Nationwide

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

PCI Data Security and Classification Standards Summary

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

CREDIT CARD PROCESSING & SECURITY POLICY

Why Is Compliance with PCI DSS Important?

CREDIT CARD NUMBER HANDLING PROCEDURES POLICY October

UW Platteville Credit Card Handling Policy

Credit and Debit Card Handling Policy Updated October 1, 2014

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

Becoming PCI Compliant

UNLV Payment Card Merchant Policy Credit Card Handling Responsibilities and Procedures

CREDIT CARD SECURITY POLICY PCI DSS 2.0

Saint Louis University Merchant Card Processing Policy & Procedures

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i.

University of Liverpool

Merchant Card Processing Best Practices

How To Complete A Pci Ds Self Assessment Questionnaire

Credit Card Processing and Security Policy

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Payment Card Industry - Achieving PCI Compliance Steps Steps

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Frequently Asked Questions

SECTION 509: Payment Card and Electronic Funds Transfer (EFT) Procedures

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Policies and Procedures. Merchant Card Services Office of Treasury Operations

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

PCI DSS Presentation University of Cincinnati

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Project Title slide Project: PCI. Are You At Risk?

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Payment Card Industry Data Security Standard

PCI Data Security. Information Services & Cash Management. Contents

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

Transcription:

CSU, Chico Credit Card Handling Security Standard Effective Date: July 28, 2015 1.0 INTRODUCTION This standard provides guidance to ensure that credit card acceptance and ecommerce processes comply with the Payment Card Industry Data Security Standards (PCI DSS) and are appropriately integrated with the University s financial and other systems. Such actions protect the interests of the University, its associated Auxiliaries, and its customers. This standard applies to all types of credit card activity transacted in-person, over the phone, via fax, mail or the Internet. 2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS) The campus and all departments that process credit or debit card information must comply with the Payment Card Industry Data Security Standards (PCI DSS). This includes the acquiring, accepting, capturing, storing, processing or transmitting of credit or debit card data, in both electronic and non-electronic formats. PCI DSS is a set of comprehensive requirements for enhancing credit card data security. PCI data security standards were developed by the PCI Security Standards Council, and a single violation of any of the requirements can trigger an overall non-compliant status. Each non-compliant incident may result in steep fines, suspension and revocation of card processing privileges. Although the primary focus of the PCI DSS is on web-based sales and processing credit card information via the Internet, there are other processes that allow systems to be Internet accessible, which may expose cardholder information. All campus credit card merchants, including merchants transmitting via a terminal on a dedicated phone line, or other approved method of transmission must complete an annual self-assessment survey and, if applicable, an internal scan and a remote external scan by a PCI DSS approved vendor. 3.0 SCOPE Implements: CSU Policy 3102.5 Debit/Credit Card Payment Policy Policy Reference: https://csyou.calstate.edu/policies/icsuam/pages/3102-05.aspx Any college, department, auxiliary organization, entity or individual that in any way accepts, captures, stores, processes or transmits credit or debit card information, using campus information assets, (both electronic and non-electronic), or uses third-party service providers to do this for you; is governed by this Information Security Standard. Information Security Office 1 7/29/2015 v1.0

4.0 CSU, CHICO CREDIT CARD ACCEPTANCE PROCEDURE ICSUAM 3102.5 requires that the campus CFO or designee approve all physical locations, websites, 3 rd party processor, or any channel accepting credit card payments. Any change involving credit card acceptance must first be approved by the CFO or his/her designee. The CSU, Chico Credit Card Acceptance Procedure must be followed prior to any addition or modification to credit card acceptance. <LINK TO CREDIT CARD ACCEPTANCE PROCEDURE> 5.0 ROLES AND RESPONSIBILITIES The University Chief Financial Officer or his/her designee, the Director of Student Financial Services, are responsible for the administration of Credit Card Procedures. See CSU, Chico Credit Card Procedures The Information Security Officer is responsible for coordinating the university s compliance with the PCI Data Security Standards technical requirements. 6.0 DEPARTMENT RESPONSIBILITIES It is the responsibility of the Appropriate Administrator to ensure compliance with the campus standards for accepting credit cards. Departments will meet the following administrative requirements: 1) Ensure that all employees, contractors, and agents with access to payment card data within the relative department complete appropriate training, and acknowledge on an annual basis, in writing, that they have read and understood relevant policies and standards. 2) Perform background checks Departments must perform applicable background checks on potential employees who have access to systems, networks, or cardholder data within the limits of CSU, Chico HR policy, union bargaining agreements and local law. If employees have access to one card number at a time to facilitate a transaction, such as store cashiers, background checks are not necessary. 3) Prior to addition of or modification to credit card acceptance method, complete the Credit Card Channel Acceptance Form, obtain the approval and signature of the Appropriate Administrator, and submit to the Director of Student Financial Services for authorization. << Link to Form>> Information Security Office 2 7/29/2015 v1.0

4) Document departmental credit card payment flows for each method, channel or business process where credit cards are accepted. Sample credit card payment flows are located on the CSU, Chico PCI-DSS Website. 5) Complete the appropriate CSU, Chico Annual Credit Card Security Self Assessment Questionnaire and forward it to the Information Security Office (ISEC), Zip 290, for review. Questionnaires are located on the CSU, Chico PCI-DSS Website. 6) Provide up to date annual assessment documents and PCI certifications to ISEC. 7) Maintain department credit card security handling procedure that comply with the PCI DSS In addition to complying with campus information security policy and standards, departments should establish procedures for physically and electronically safeguarding cardholder information. Exceptions to these policies and procedures may be granted with written approval from an appropriate administrator. 8) Communicate procedures to staff Appropriate administrators should communicate the department credit card security handling procedures to staff and ensure that the Credit Card Handlers and Processors Responsibilities section of this standard is followed for all personnel involved in credit card transactions. 7.0 TECHNICAL REQUIREMENTS 1) Prevent unauthorized access to cardholder data and secure the data Appropriate administrators should establish procedures to prevent access to cardholder data in physical or electronic form. Hard copy or media containing credit card information should be stored in a locked drawer or office, and password protection should be used on computers. 2) Restrict access based on a business need-to-know Access to physical or electronic cardholder data should be restricted to individuals whose job requires access. Appropriate administrators should establish appropriate segregation of duties between personnel handling credit card processing, the processing of refunds, and the reconciliation function. 3) Assign a unique ID to each person with computer access Departments should ensure that a unique ID is assigned to each person with computer access to credit card information. User names and passwords may not be shared. 4) Transmitting credit card information by e-mail or fax Full or partial credit card numbers and three or four digit validation codes (usually on the back of credit cards) may not be faxed or e-mailed unless personnel have been authorized to do so, and processes exist to securely store and dispose of the information. If transmitted by email, the contents must be encrypted or in a password protected file. 5) Never store electronically the CVV, CVV2 validation code, or PIN number - Departments must not store the three or four digit CVV or CVV2 validation code from the credit card or the personal identification number (PIN). Information Security Office 3 7/29/2015 v1.0

6) Mask 12 of the 16 digits of the credit card number - Terminals and computers must mask all but the first 6 digits and/or the last 4 digits of the credit card number (masking all digits but the last 4 is standard practice on campus). 7) Using imprint machines Imprint machines need special handling as they display the full 16 digit credit card number on the customer copy. Departments should not use imprint machines to process credit card payments unless personnel have been authorized to do so, and processes exist to securely store and dispose of the information. 8) Departments must maintain a list of all devices used to processes credit cards. 9) Departments must maintain a list of all vendors and vendor applications used to process credit cards. 10) The use of personal computers to process credit cards using card swipes or keyboard entry is prohibited without prior approval and must be network isolated (with ingress and egress rules) and must be a single use system. 11) In the event of a suspected or confirmed loss of cardholder data, immediately notify the Information Security Office and the Student Financial Services Office. Details of any suspected or confirmed breach should not be disclosed in any email correspondence. After normal business hours, notification shall be made University Police at (530) 898-5555. 8.0 CREDIT CARD HANDLERS AND PROCESSORS RESPONSIBILITIES Staff or faculty with access to credit or debit card holder data must not: 1) Acquire or disclose any cardholder s credit card information without the cardholder s consent including but not limited to the full or partial sixteen (16) digit credit card number, three (3) or four (4) digit validation code (usually on the back of credit cards), or PINs (personal identification numbers) 2) Transmit or request any credit card information by e-mail or fax. If someone e-mails their data, staff and faculty should make them aware that, for their own safety, they should not do this again. The email or fax should be destroyed as soon as possible 3) Electronically store or record any credit card information in any electronic format (Excel files, databases, e-mail, etc.) unless they have been authorized to do so by the Information Security Office 4) Request, record, or store any of the magnetic stripe data or the credit card confirmation code (three digit on the back of many cards and 4 digits on the front of American Express) 5) Share a computer password if they have access to a computer with credit card information Staff or faculty with access to credit or debit card holder data should: 1) Change a vendor-supplied or default password if they have access to a computer with credit card information. Information Security Office 4 7/29/2015 v1.0

2) Password protect their computer if they have access to a computer with credit card information. 3) Store all non-electronic, physical documents or storage media containing credit card information in a locked drawer, locked file cabinet, or locked office 4) Store all electronic files on a secured server, or as encrypted or password protected files 5) Review devices which are used to process credit cards for tampering. 6) Report immediately a credit card security incident to an appropriate administrator if they know or suspect credit card information has been exposed, stolen, or misused. 7) Store only essential credit card information. Any stored information must be destroyed in accordance with the campus Record Retention Schedule. All media used for credit cards must be destroyed when retired from use. All hardcopies must be shredded prior to disposal. 9.0 STORING CREDIT AND DEBIT CARD HOLDER DATA Storage of credit card numbers on University owned computers, servers, or in University developed applications is prohibited. Storage of credit cardholder data in non-electronic (faxes, imprint machine slips, handwritten forms, etc) data must follow cash handling standards. Additional; information regarding storage of credit and debit cardholder information can be found in Appendix A. 10.0 Documentation Review & Approval Date Audience Action Version 2/2/2009 System Security Meeting Presented v1.0 2/27/2009 CIO Reviewed v1.0 2/27/2009 CIO Approved v1.0 3/2/2009 Cabinet Reviewed v1.0 3/1/2011 CIO Pending v1.2 5/11/2015 Policies and Standards Group Reviewed / Recommended v2.0 7/21/2015 Information Technology Executive Committee (ITEC) Approved v2.0 Information Security Office 5 7/29/2015 v1.0

Appendix A: Credit Cardholder Data Storage Requirements The following table includes high level information regarding storage and protection of cardholder data. Element of Data Is Storage Allowed? Is Protection Required? PCI DSS Requiremet 3.4 Primary Account Number (PAN) YES YES YES Cardholder Name* YES YES* NO Cardholder Data Service Code* YES YES* NO (Front of Card) Expiration Date* YES YES* NO Full Magnetic Strip NO N/A N/A Sensitive CVC2/CVV2/CID NO N/A N/A Authentication Data PIN/PIN Block NO N/A N/A (Back of Card) * These data elements must be protected if stored in conjunction with the PAN Even when the storage of credit card holder data is necessary, only some data elements (from the front of the card) may be stored as long as they are protected. Protection of data means that it needs to be encrypted or otherwise made unreadable (PCI DSS Requirement 3.4). However the sensitive authentication data (from the back of the card) may not be stored. Additionally, only some data elements may be kept for the charge back process, whereas others may not. Sensitive authentication data, such as CVV2, are used for charge back verification but must not be stored. The entire 16 digit Primary Account Number (PAN), which is also used in charge back verification, cannot be kept in an unprotected mode. Only the first 6 and/or the last 4 digits can be stored in this manner, because in this form, they are not card holder data. For example: Name + Expiry Date + Service Code is not cardholder data because the PAN is not retained 1234 5678 9012 3456 + Name + Expiry Date is cardholder data because the PAN is retained; so everything must be protected 1234 56xx xxxx 3456 + Name + Expiry Date is not cardholder data because store the first 6 and the last 4 digits unprotected 1234 56xx xxxx 3456 + Name + CVV2 cannot be stored since sensitive authentication data is retained The PCI DSS storage rules also apply to digital voice and fax systems. Digital voice systems are searchable, so if a recording contains sensitive authentication data (CVV2/CVC2/CID), it cannot be stored and must be cleaned. Restricting both physical and logical access to such voice systems is recommended. Fax paper records also need to have sensitive authentication data deleted. This can be easily achieved by using forms in which a section can be removed. If the fax system has memory, that too needs to have the sensitive authentication data erased. PCI DSS storage rules also apply to any third party providers that you use for outsourcing; so departments should ensure that they are PCI compliant as part of any contract. Information Security Office 6 7/29/2015 v1.0

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information