20.23 - Payment Card Processing
Preamble: The University of Idaho (UI) is committed to providing a secure credit and debit card processing environment for our customers to protect against loss and fraud. To protect customers and limit University liability, we must comply with Payment Card Industry (PCI) requirements for securely processing, transmitting, and disposing of cardholder data. This policy will be effective immediately upon final approval. Pursuant to delegation from the President, the Vice President for Finance and Administration approved on March 21, 2019. (rev. 3/17, 7-20)
D. Process, Procedure and Guidelines
F. Contact Information
A-1. Owner. The senior employee with direct responsibility for all credit card payment processing activities for their unit. (ed. 3-17)
A-2. Contact. The documented employee on file responsible for maintenance and coordination of payment card systems for their unit. (ed. 3-17)
A-3. Operator. Any employee tasked with processing card payments for their unit.
A-4. Cardholder Data. Any payment card information that is processed on behalf of the University of Idaho. This includes card numbers, expiration dates, security codes (CVC/CVV/CID code located on the back of credit cards) and cardholder personal data. (ed. 3-17)
A-5. PCI-DSS. Payment Card Industry – Data Security Standards.
A-6. PA-DSS. Payment Application – Data Security Standards.
A-7. SAQ. Self-Assessment Questionnaire.
A-8. Merchant. Any University unit that accepts debit or credit cards as part of its business process.
A-9. Unit. refers to primary management units within the University of Idaho (University), including recognized colleges, administrative units, and recognized University Centers located remotely from the main Moscow campus. (add. 3-17)
A-10. Vendor. Any person or company contracted by the University to facilitate payment card transactions. (ren. 3-17)
A-11. Critical Technology. Any technology device used within, or to connect to or from, the payment card processing environment network or equipment. (ren. 3-17)
B. Policy. All University of Idaho owners, contacts, and operators of any point-of-sale systems, credit payment terminals, or credit processing systems must maintain compliance with current PCI-DSS.
B-1. Pre-approval. (rev. 7-20)
a. Only Merchants and Vendors preapproved by the Controller’s Office are authorized to handle University credit card processing.
b. A list of known service providers and a description of the service provided will be maintained centrally by each merchant and reviewed annually for accuracy by the Merchant.
c. Effective with the issuance of this policy and for all newly signed or renewed agreements, all contracts and agreements with service providers must include provisions or acknowledgement that the service provider is responsible for the security of cardholder data they either possess or otherwise store, process, or transmit on behalf of UI, or to the extent that the service provider could impact the security of UI’s cardholder data environment.
d. Additional provisions for documentation necessary for PCI DSS evidence, Attestation of Compliance and PCI certifications must be provided annually upon request for the preparation of the UI compliance reporting.
e. At a minimum, members of ITS Security Office and Controller’s Office must be involved to adequately assess and vet the provider.
f. Third-party Vendors or service providers contracted by a UI Merchant must supply a contract addendum or other certification assuring their compliance with the current PCI-DSS and/or PA-DSS as appropriate prior to contract completion.
g. Any storage of Cardholder Data after the transaction has been authorized must have prior approval of the Controller’s Office and must meet current PCI-DSS. An inventory of any storage locations for cardholder data must be kept current with the Controller’s Office. (ed. 3-17)
B-2. Responsibility. (rev. 3-17, 7-20)
a. The unit Contact must become familiar with the most current version of PCI-DSS available at https://www.pcisecuritystandards.org/document_library. New versions are published annually and must be reviewed for changes needed by the stated effective date.
b. Prior to operation of any payment card processing system, and on an annual basis, each unit must complete a PCI-DSS Self-Assessment Questionnaire (SAQ) for each Merchant, along with a corresponding Attestation of PCI Compliance within 30 days’ notice from the Controller’s Office.
a. All units that accept credit card payments will annually submit a written list of Operators within their Unit to the Controller’s Office and ITS. The list shall also include a description of procedures the unit follows to ensure that only the listed Operators have access to the unit’s credit card processing software and systems. (add. 3-17)
b. At the onset of employment, and annually thereafter, all owners, contacts and operators directly involved with acceptance or processing of payment card data for the University must complete a comprehensive PCI-DSS compliance and security awareness training as required by the Controller’s Office. Annual training must include a review of this policy and any standards set by management to ensure PCI compliance. Any unit specific processes or procedures must also be reviewed annually with each operator and internally documented by the unit for the SAQ. (ed. & ren. 3-17)
c. All employees handling cardholder data are considered security sensitive under APM 50.16 and must have completed a criminal background check prior to employment. (ren. 3-17)
B-4. Documentation. Any unit operating payment card systems must maintain documentation of all procedures for handling payment card data and systems consistent with PCI-DSS. This documentation must be reviewed and updated annually to meet PCI-DSS requirements, and, when required, be attached as evidence to the unit’s annual SAQ. Documentation required by PCI-DSS and this policy must be readily available during business hours upon the request of the Controller’s Office or the UI Computer Security Incident Response Team. (ed. 3-17, rev. 7-20)
B-5. Inventory. Any unit operating payment card systems must maintain a list of current devices used to process credit cards or used in the cardholder environment and be aware of attempted tampering or replacement of devices. Each device must be appropriately labeled. This list must be supplied to the Controller’s Office annually. (ed. 3-17)
a. The inventory list must include for each device: (rev. 3-17)
- Make and model of device
- Physical location of device
- Device serial number or asset tag
- List of employees with explicit permission to use the device
b. The Controller’s Office must be notified immediately when (add. 3-17)
- New devices are placed into service
- Old devices are removed from service
- A device’s physical location is permanently changed
B-6. Usage policies for critical technologies. (rev. 7-20)
a. All critical technology used within the payment processing environment must be explicitly approved by the Controller’s Office and ITS Security Office and inventoried prior to operation.
b. Only employees trained in Merchant processes and this policy are permitted to use critical technology, and only if required by their job function.
c. All employees using critical technology must be authenticated with a unique user ID and password (or other authentication item or token).
d. All vendor employees requesting direct access to critical technology must be verified and approved prior to granting access for setup, troubleshooting, maintenance or repair services.
e. Critical technology must only be used for designated business purposes and not for general administrative use which might increase risk to the payment processing environment (e.g., no email, web surfing, instant messaging, etc.).
1. Devices must be regularly inspected, at least monthly, for tampering or substitution and documented on the UI PCI DSS Checklist. Inspections must validate (add. 3-17)
a. Location of device has not changed
b. Manufacturer’s name, model and serial number to inventory
c. Color and general description has not changed
d. No additional wires, attachments, overlays are attached
e. Number of connections into and out of the device has not changed
2. Documentation of inspection must be reviewed by a second employee and filed for future review. (add. 3-17)
f. Critical technology may only be used on networks approved and designated for payment card processing, analog phone line or approved third party service provider. Please contact ITS Security Office for review and approval. (rev. 3-17)
1. Critical technology equipment removed from approved networks supporting the payment card processes must have all cardholder data securely wiped from the device prior to removal to ensure secure information is not transported unprotected. (add. 3-17)
g. Remote access to critical technologies must:
1. Be limited to only uniquely identified employees or Vendors with a business need;
2. Be configured to automatically disconnect when inactive; (ed. 3-17)
a. Restrict Vendor access accounts to active monitoring, with immediate deactivation after use. (ed. 3-17)
h. Copying, moving or storing cardholder data on local hard drives or removable electronic media is prohibited.
B-7. Security of and Access to Cardholder Information. (add. 3/17, rev. 7-20)
a. Cardholder data cannot be stored, shared or transmitted in any electronic format including, but not limited to, disc, network storage, email, portable hard drive, thumb-drive, and text message.
b. Under no circumstance will the CVC/CVV/CID code be stored digitally or on paper
c. Credit card information cannot be requested or accepted by email or any other digital messaging technology. If an email is received containing cardholder data it should be immediately deleted and removed from trash folders.
d. Access to stored cardholder data will be restricted to board appointed employees on a need to know/use basis only.
1. Temporary or student employees must not be granted access to sensitive cardholder information.
e. All UI forms that contain a section for cardholder data must be designed so that cardholder data can be immediately removed from the form and shredded or placed into UI provided and locked shred boxes once processed.
1. All forms containing cardholder data must be processed as soon as possible to reduce the duration of time information is stored.
2. If hard-copy cardholder data must be stored it will be stored in securely locked storage for processing as soon as possible.
f. Cardholder data temporarily stored on paper must be immediately disposed of when entered by
1. Cross-cut shredding the information
2. Placing information into an approved Vendor supplied lockbox subsequently destroyed by the Vendor.
B-8. Reporting Incidents. In the event of a suspected incident, event, or tampering potentially involving the exposure of cardholder data, immediate notification of the incident must be sent to the following groups: (ren. 3-17)
- ITS Security Office (firstname.lastname@example.org or 208-885-2522)
- Controller’s Office (email@example.com or 208-885-2719)
- The owner for the Merchant ID
After the incident has been reported, it shall be investigated and escalated in accordance with the Technology Security Incident Response Plan and current PCI requirements.
B-9. Standards. Technical standards are required by PCI-DSS and published regularly on the PCI Security Standards website. Complying with the published standards are required in order to complete annual SAQ successfully and remain compliant. https://www.pcisecuritystandards.org/ (ren. 3-17)
B-10. Consequences. Failure to remain in compliance with the terms of this policy may result in the loss of the ability to process credit cards and the required payment of assessed fines/fees/penalties until PCI compliance has been regained to the satisfaction of the Controller’s Office and the ITS Security Office. (ren. 3-17)
C. Scope. This policy applies to all entities processing credit cards directly or on behalf of the University of Idaho.
D. Process, Procedure, and Guidelines. Additional guidelines, processes, and procedures may be distributed or published by the Controller’s Office and ITS in support of this policy and current PCI standards. Please see their websites for current information:
Controller (ed. 3-17, 7-20)
E. Exceptions. Requests for exceptions in all or part of this policy may be submitted in writing to the University Controller or his or her designee, for review and possible approval. Any exceptions must be renewed annually.
F. Contact Information. The Controller’s Office can assist with questions regarding this policy and PCI compliance. Phone: (208) 885-2719 or firstname.lastname@example.org. (ed. 3-17)