Wireless Technology and Payment Card Transaction Security Standard

The University discourages the use of wireless technology to process or transmit cardholder data. Requests for Payment Card Account Acquisition or Change which include the use of wireless technology will be reviewed on a case by case basis and shall carefully consider the need for the technology against the risk of a non-secure payment environment.

In general, the University disallows and discourages the use of cellular wireless uplink technology for payment card processing activities. When permitted, the storage of cardholder data on local hard drives, floppy disks or other external media is prohibited. It is also prohibits to use cut-and-paste and print functions during remote access. Activation of modems for vendors will be permitted only when needed and be immediately deactivated after use.

Term Definition

Cardholder

The customer to whom a payment card has been issued or the individual authorized to use the card.

Cardholder Data

All personally identifiable data about the cardholder (i.e., account number, expiration date, cardholder name, address, telephone number, social security number, etc.

Card-Validation Code or Value

Refers to either (1) magnetic-stripe data or (2) printed security features. Data element on a card’s magnetic strip that uses a secure process to protect data integrity on the strip, and reveals any alteration or counterfeiting. The following list provides the terms for each card brand:

  • CAV – Card Authentication Value (JCB payment cards)
  • CVC – Card Validation Code (MasterCard payment cards)
  • CVV – Card Verification Value (Visa and Discover payment cards)
  • CSC – Card Security Code (American Express)

For Discover, JCB, MasterCard, and Visa payment cards, the second type of card verification value or code is the rightmost three digit value printed in the signature panel area on the back or the card. For American Express payment cards, the code is a four-digit un-embossed number printed about the PAN on the face of the payment card. The code in uniquely associated with each individual piece of plastic and ties the PAN to the plastic. The following provides an overview:

  • CID – Card Identification Number (American Express and discover payment cards)
  • CAV2 – Card Authentication Value 2 (JCB payment cards)
  • CVC2 – Card Validation Code 2 (MasterCard payment cards)
  • CVV2 – Card Verification Value 2 (visa payment cards)

Encryption

The process of converting information into an unintelligible form to anyone except holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process against unauthorized disclosure.

Magnetic Stripe Data (Track Data)

Data encoded in the magnetic stripe use for authorization during payment transaction.

Merchant

For the purposes of the PCI DSS and this policy, a merchant is defined as any university department or other entity that accepts payment cards bearing the logos of any for the five members of PCI SCC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods, services, or donations.

Payment Card

Any payment card/device that bears the logo of American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or VISA, Inc.

Payment Card Account Change

Any change in the payment account including, but not limited to:

  • the use of existing payment card accounts for new purposes;
  • the alteration of business processes that involve payment card processing activities;
  • the addition or alteration of payment systems;
  • the addition or of relationships with third-party payment card service providers, and
  • the addition or alteration of payment card processing technologies or channels.

Payment Card Industry (PCI) Data Security Standard (DSS)

A multi-faceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

Standard Purpose This standard outlines the requirements of wireless technology in payment card transactions.
Standard Number 01-113
Version 1.0.0
Effective Date Sep 01 2009
Prepared by Barry Blackburn
Date Prepared Mar 01 2009
Approved By Samuel Scalise
Date Approved Mar 09 2009
Last Updated By Barry Blackburn
Date Last Updated Sep 01 2009
Associated Policy Payment Card Industry Security Policy
Contact(s) Barry Blackburn (ISO)
Keywords