Payment Card Industry Data Security Standard

I. Standard

Every department that would like to accept payment cards and/or electronic payments on behalf of the university or change an existing account must submit an APPLICATION FOR PAYMENT CARD ACCOUNT ACQUSITION OR CHANGE form to request approval. Each of these departments is required to appoint a management employee who will have authority and responsibility for payment card transaction processing within that department.

II. BACKGROUND

In response to increasing incidents of identity theft, the major payment card companies created the Payment Card Industry Data Security Standard (PCI DSS) to help prevent theft of customer data. PCI DSS applies to all businesses that accept payment cards to procure goods and services or donate to the University. Compliance with this Standard is enforced by the payment card companies and generally, non-compliance is discovered when an organization experiences a security breach that includes card member data.

Security breaches can result in serious consequences for the University and the associated Auxiliaries including release of confidential information, damage to reputation, the assessment of substantial fines, possible legal liability and the potential loss in the ability to accept payment card and eCommerce payments.

III. SCOPE

This policy applies to all Sonoma State University and Auxiliary employees, contractors, consultants or agents who, in the course of doing business on behalf of the University, accept, process, transmit, or otherwise handle cardholder information in physical or electronic format.

This policy applies to all University departments, administrative areas, and Auxiliaries which accept payment cards regardless of whether revenue is deposited in a University or Auxiliary account.

IV. RESPONSIBILITIES

Every department or administrative area accepting payment cards and/or electronic payments on behalf of the University for goods, services, or donations (Merchant Department) must designate a "Merchant Department Responsible Person" (MDRP), a management employee within that department who will have primary authority and responsibility for payment card and eCommerce transaction processing.

All MDRPs are responsible for:

  • Executing Payment Card Account Acquisition or Change Procedures.
  • Ensuring that all employees, contractors, and agents with access to payment card data within the relative Merchant Department acknowledge on an annual basis and in writing that they have read and understood this Policy. These acknowledgements should be submitted, as requested, to the Accounts Receivable/Cashier Manager.
  • Ensuring that all payment card data collected by the relevant Merchant Department in the course of performing University business, regardless of whether the data is stored physically or electronically, is secured according to the standard listed in Appendix 3.
  • In the event of a suspected or confirmed loss of cardholder data, the MDRP must immediately notify the Information Security Office. Details of any suspected or confirmed breach should not be disclosed in any email correspondence. After normal business hours, notification shall be made to Sonoma State Police and Parking Services (707) 664-4444.

V. POLICY MONITORING

The Information Technology department will coordinate the university’s compliance with the PCI Data Security Standard’s technical requirements and verify the security controls of systems authorized to process credit cards.

The Information Security Officer shall maintain currency with the requirements of the PCI DSS and related requirements to ensure that this policy remains current and shall coordinate and lead any campus response to a security breach involving cardholder data.

The PCI DSS Assessor (see Appendix 2) shall conduct the University PCI DSS Self-Assessment and complete the University’s Attestation of Compliance.

VI. SUSPENSION

The Vice President of Administration and Finance may suspend credit card account privileges of any department or administrative unit not in compliance with this policy.

VII. TRAINING

Employees who are expected to be given access to cardholder data shall be required to complete upon hire and at least annually security awareness training. Employees shall be required to acknowledge at least annually that they have received training, understand cardholder security requirements, and agree to comply with these requirements.

 

For Sonoma State University’s purposes, data is considered to be secured only if all of the following criteria are met:

  • Only those with a need-to-know are granted access to payment card and electronic payment data;
  • End user messaging technologies should not be used to transmit unencrypted primary account number (PAN) (for example, email, instant messaging, chat).
  • Credit card data is never downloaded onto any portable devices or media such as USB flash drives, compact disks, laptop computers or personal digital assistants. Special encrypting USB flash drives must be approved by the Information Security Officer;
  • Fax transmissions (both sending and receiving) of credit card and electronic payment information occurs using only fax machines which are attended by those individuals who must have contact with payment card data to do their jobs;
  • All eCommerce transaction must be encrypted by TLS/IPSec or other high encryption technologies during transmission through the computer network.
  • The three or four digit validation code printed on the payment card is never stored in any form;
  • The full contents of any track data from the magnetic stripe are never stored in any form;
  • The personal identification number (PIN) or encrypted PIN block are never stored in any form;
  • The primary account number (PAN) is rendered unreadable anywhere it is stored;
  • All but the last four digits of any credit card account number are masked when it is necessary to display credit card data;
  • All media containing payment card or personal payment data is retained no longer than a maximum of six (6) months and then destroyed or rendered unreadable.
    • Hard copy materials must be cross-shredded, incinerated, or pulped so that cardholder data cannot be reconstructed.

Definitions

Definitions are included in the PCI DSS Glossary.

Standard Purpose This documented adapts the PCI DSS standard to the SSU PCI environment.
Standard Number 01-112
Version 1.1.0
Effective Date Sep 01 2009
Prepared by Barry Blackburn
Date Prepared Mar 01 2009
Approved By Samuel Scalise
Date Approved Mar 09 2009
Last Updated By Barry Blackburn
Date Last Updated Nov 09 2009
Associated Policy Payment Card Industry Security Policy
Contact(s) Barry Blackburn (ISO)
Keywords