Payment Card Handling Policy

No. 10-4 Rev. 08-11-09 Date 06-10-08



I. PURPOSE

The purpose of this policy is to protect payment card data and to comply with the Payment Card Industry's Data Security Standards (PCI DSS) requirements for transmitting, handling and storage of payment card data.

Throughout this policy the term payment card is used to refer to credit, debit or charge cards.

This Policy does not include information on Purchasing Cards. For information on Purchasing Cards (PCARDs) please refer to PPM 5-25i .

II. REFERENCES

III. DEFINITIONS

CVC2/CVV2 - A 3- or 4-digit value printed on the card or signature strip used for card validation or verification.

Degaussing (erasure) – A process that renders previous data unrecoverable. Proper degaussing will ensure there are not sufficient magnetic remnants to reconstruct the data.

Cardholder data - The Primary Account Number (PAN) by itself or in conjunction with the cardholder name, expiration date, cardholder address, cardholder social security number or any other type of cardholder identifying information.

eCommerce – Electronic commerce consists of the buying and selling of products or services over electronic systems such as the Internet or other computer networks.

Mask (or truncate) - Practice of removing a data segment. Commonly, when account numbers are truncated, the first 12 digits are deleted, leaving only the last 4 digits while replacing the deleted numbers with asterisks (*).

Media - Objects on which data can be stored. These include computers, removable electronic media, networking and communications hardware, telecommunications lines, paper receipts, paper reports, and faxes.

Payment Card – An instrument used in lieu of cash in the form of a credit, debit or charge card.

Payment Card Industry Data Security Standards (PCI DSS) – Data security standards developed by the major payment card companies (Visa, Mastercard, Discover, American Express and JCB) as a guideline to help organizations that process card payments prevent fraud, hacking and various other security vulnerabilities and threats.

Payment Application Data Security Standards (PA DSS) - Data security standards developed under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP) as a guideline for software vendors and other develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS

Payment Card Merchant - A department or other entity which processes payment card transactions.

Payment Gateway - Facilitates the transfer of payment card transaction information between a payment portal (such as a website) and the acquiring bank.

Primary Account Number (PAN) – The card number that identifies the issuer and the particular cardholder account.

POS device – Point of Sale device is the hardware and software used at retailer checkouts to accept cards for payment of goods or services.

Track Data – The information that is needed to complete a payment transaction encoded and stored within the magnetic stripe on the back of a payment card.

III.   POLICY

a) All colleges and divisions within the University that function as a payment card merchant must comply with established security control measures including:

1. Approval from the University’s Bursar before entering into any contract or purchase of software and/or equipment that involve payment cards. This requirement applies regardless of the transaction method or technology used (e.g. eCommerce, POS device) (Ref PPM 5-4c).

2. Compliance with University Procurement policies (PPM 5-25).

3. Notification to the University Network Security Administrator and Information Security Office of all technology implementations.

4. Establishment of payment card handling procedures for safeguarding cardholder data. This pertains to ALL transactions initiated via the telephone, over the counter, mail order, eCommerce, etc.

5. Compliance with Payment Card Industry Data Security Standards (PCI DSS).

6. Participation in an annual security self-assessment and report the results of that assessment to the Vice President of Administrative Services to ensure compliance with this policy and associated procedures.

7. Payment applications and POS devices implemented must be PA_DSS validated.

b) All eCommerce payments must be processed through a University approved payment gateway, unless an exemption has been approved by the University Bursar and the Information Security Office.

1. A college or division of the University shall not enter into an outsourcing agreement with a third-party provider, including software applications for payment card processing, until such an agreement is first approved by the University Bursar and the Information Security Office.

c) All cardholder data and customer information must be kept secure and confidential.

1. Payment card receipts should be treated in the same manner as cash.

2. All media containing cardholder data must be maintained in a secure environment limited to authorized staff. Secure environments include locked drawers, file cabinets in locked offices, safes and encrypted electronic storage devices.i

i. Payment card merchants who accept mail or phone payments must immediately destroy any paper notes that contain the cardholder’s PAN once the transaction is completed.

3. The CVC2/CVV2 and track data must never be stored on computers or networks.ii

4. The PAN and expiration date must be truncated, masked or encrypted wherever it is electronically stored.iii

5. Cardholder data must be transmitted or delivered in a secured manner, such as SSL encryption, or sealed envelopes through the US postal service or equivalent.iv

a. Approval from the University Bursar and Information Security Office must be obtained prior to receiving cardholder data via facsimile.

6. Cardholder data must never be sent or accepted over email.v

7. Cardholder data must not be stored in spreadsheets, word processing documents, personal databases, text files or other types of data storage mechanisms.

8. The payment card merchant must use processing equipment that produces receipts with a masked (or truncated) cardholder’s PAN. Payment card merchants must mask the cardholder’s PAN on the customer’s receipt and should also mask the merchant’s copy of the receipt if there is no business constraint.vi

9. The level of security controls applied to the University’s network must at least match the highest level of classification of the data being transmitted (Ref. PPM 10-1).

10. All personnel involved in payment card handling are required to attend payment card handling security training at least annually.vii

d) All cardholder data and customer information must be protected from unauthorized access.

1. Physical and electronic access to payment card processing and cardholder data must be restricted to appropriate and approved personnel.viii

2. Background checks must be performed in accordance with the Employment of Persons with Criminal Records Policy (PPM 3-5a).ix

3. Appropriate segregation of duties must be established between payment card processing (including refunds) and the reconciliation function. Supervisory approval of all payment card refunds is required.

4. The University Information Security Office and Network Security Administrator must be notified prior to implementation of any technology changes affecting payment card transaction processing associated with the merchant account.

5. Proper user authentication and password management must be in place as required by PCI DSS and the University Information Security Policy (PPM 10-1).x

6. All access to cardholder data must be logged and monitored.xi

e) All breaches in security regarding cardholder data must be reported to the appropriate Data Security Steward and Information Security Office.xii

f) Self assessments and testing must be performed to ensure compliance with PCI DSS.

1. Payment card handling procedures are subject to audit by the University Internal Audit department and external audit or Payment Card review firms.

2. An annual PCI DSS self-assessment and periodic network-based vulnerability scans must be conducted to ensure security controls are in place to protect the technology implementations.xiii

3. The results of the annual self-assessment must be reported to the Vice President of Administrative Services and the Chief Information Officer.

4. Departments not complying with approved safeguarding, storage and processing procedures may lose the privilege to serve as a payment card merchant.

g) Payment card transaction records and cardholder data must be retained and destroyed appropriately.

1. Original sales receipts and all supporting documentation must be retained as established by the Utah Code Ann. Section 63-2-101 et. Seq or State Agency General Records Retention Schedule.xiv

i. All paper documentation containing cardholder data must be destroyed in a manner that will render it unreadable, e.g. cross-cut shredding or taking the paper documents to a burn plant facility and obtaining a certificate of burning.xv

ii. All electronic cardholder data must be rendered unreadable by destroying the media on which it is stored, e.g. drilling holes in the media or when cost-effective degaussing.xvi

h) Payment Card Merchants with Payment Cards that have been inadvertently left and remain unclaimed:

1. May return a Payment Card inadvertently left at their location, to the Cardholder, until the close of the following business day. A Payment Card may only be returned to the cardholder if positive identification is provided.

i. A Payment Card not claimed by the cardholder by the close of the following business day must be processed in accordance with the applicable merchant agreement (e.g following the lost Payment Card instructions on the back of a Payment Card or send the Payment Card to the University Cashiering department).

  • i Requirement 9.6
  • ii Requirement 3.2
  • iii Requirement 3.4
  • iv Requirement 4.1
  • v Requirement 4.2
  • vi Requirement 3.3
  • vii Requirement 12.6
  • viii Requirement 7.1
  • ix Requirement 12.7
  • x Requirement 8.5
  • xi Requirement 10.2
  • xii Requirement 12.9
  • xiii Requirement 11.2
  • xiv Requirement 3.1
  • xv Requirement 9.10
  • xvi Requirement 9.10