Wireless Technology and Payment Card Transaction Security Standard
The University discourages the use of wireless technology to process or transmit cardholder data. Requests for Payment Card Account Acquisition or Change which include the use of wireless technology will be reviewed on a case by case basis and shall carefully consider the need for the technology against the risk of a non-secure payment environment.
In general, the University disallows and discourages the use of cellular wireless uplink technology for payment card processing activities. When permitted, the storage of cardholder data on local hard drives, floppy disks or other external media is prohibited. It is also prohibits to use cut-and-paste and print functions during remote access. Activation of modems for vendors will be permitted only when needed and be immediately deactivated after use.
| Term | Definition |
|---|---|
Cardholder |
The customer to whom a payment card has been issued or the individual authorized to use the card. |
Cardholder Data |
All personally identifiable data about the cardholder (i.e., account number, expiration date, cardholder name, address, telephone number, social security number, etc. |
Card-Validation Code or Value |
Refers to either (1) magnetic-stripe data or (2) printed security features. Data element on a card’s magnetic strip that uses a secure process to protect data integrity on the strip, and reveals any alteration or counterfeiting. The following list provides the terms for each card brand:
For Discover, JCB, MasterCard, and Visa payment cards, the second type of card verification value or code is the rightmost three digit value printed in the signature panel area on the back or the card. For American Express payment cards, the code is a four-digit un-embossed number printed about the PAN on the face of the payment card. The code in uniquely associated with each individual piece of plastic and ties the PAN to the plastic. The following provides an overview:
|
Encryption |
The process of converting information into an unintelligible form to anyone except holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process against unauthorized disclosure. |
Magnetic Stripe Data (Track Data) |
Data encoded in the magnetic stripe use for authorization during payment transaction. |
Merchant |
For the purposes of the PCI DSS and this policy, a merchant is defined as any university department or other entity that accepts payment cards bearing the logos of any for the five members of PCI SCC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods, services, or donations. |
Payment Card |
Any payment card/device that bears the logo of American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or VISA, Inc. |
Payment Card Account Change |
Any change in the payment account including, but not limited to:
|
Payment Card Industry (PCI) Data Security Standard (DSS) |
A multi-faceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. |
| Standard Purpose | This standard outlines the requirements of wireless technology in payment card transactions. |
|---|---|
| Standard Number | 01-113 |
| Version | 1.0.0 |
| Effective Date | Sep 01 2009 |
| Prepared by | Barry Blackburn |
| Date Prepared | Mar 01 2009 |
| Approved By | Samuel Scalise |
| Date Approved | Mar 09 2009 |
| Last Updated By | Barry Blackburn |
| Date Last Updated | Sep 01 2009 |
| Associated Policy | Payment Card Industry Security Policy |
| Contact(s) | Barry Blackburn (ISO) |
| Keywords |