20.23 - Payment Card Processing
- Position: Controller
- Name: Amanda Bauer
- Email: email@example.com
Last updated: July 01, 2022
E. Process, procedure and guidelines
F. Contact information
A. Purpose. The University of Idaho is committed to providing a secure credit and debit card processing environment for our customers to protect against loss and fraud. To protect customers and limit University liability, employees must comply with Payment Card Industry (PCI) requirements for securely processing, transmitting, and disposing of cardholder data.
B. Scope. This policy applies to all employees engaged in credit card processing activities at the University of Idaho.
C-1. Owner. The senior employee with direct responsibility for all credit card payment processing activities for their unit.
C-2. Contact. The employee on file responsible for maintenance and coordination of payment card systems for their unit.
C-3. Operator. Any employee tasked with processing card payments for their unit.
C-4. Cardholder Data. Any payment card information that is processed on behalf of the University of Idaho. This includes card numbers, expiration dates, security codes (CVC/CVV/CID code located on the back of credit cards) and cardholder personal data.
C-5. PCI-DSS. Payment Card Industry – Data Security Standards.
C-6. PA-DSS. Payment Application – Data Security Standards.
C-7. SAQ. Self-Assessment Questionnaire.
C-8. Merchant. Any University unit that accepts debit or credit cards as part of its business process.
C-9. Units. Primary management units within the University of Idaho (University), including recognized colleges, departments, administrative units, and recognized locations remote from the main Moscow campus.
C-10. Vendor. Any person or company contracted by the University to facilitate payment card transactions.
C-11. Critical Technology. Any technology device used within, or to connect to or from, the payment card processing environment network or equipment.
D. Policy. All University of Idaho owners, contacts, and operators of any point-of-sale systems, credit payment terminals, or credit processing applications or systems must maintain compliance with current PCI-DSS.
D-1. General PCI-DSS compliance responsibilities.
a. The PCI Security Standards Council publishes and regularly updates the Payment Card Industry Data Security Standard (PCI-DSS) at https://www.pcisecuritystandards.org/document_library. The unit Contact must review updates to the PCI-DSS for changes needed and implement them by the stated effective date.
b. Prior to operation of any payment card processing system, and on an annual basis, each unit must complete a PCI-DSS Self-Assessment Questionnaire (SAQ) for each Merchant.
c. Each unit must provide an Attestation of PCI Compliance within 30 days’ notice from the Controller’s Office.
d. Documentation necessary for PCI DSS evidence and PCI certifications must be provided annually upon request by the Controller’s Office.
D-2. Contracting requirements.
a. Only Merchants and Vendors preapproved by the Controller’s Office are authorized to handle University credit card processing. A list of known service providers and a description of the service provided will be maintained centrally by each merchant and reviewed annually for accuracy by the Merchant.
c. Effective with the issuance of this policy and for all newly signed or renewed agreements, all contracts and agreements with service providers must include provisions or acknowledgement that the service provider is responsible for the security of cardholder data they either possess or otherwise store, process, or transmit on behalf of UI, or to the extent that the service provider could impact the security of UI’s cardholder data environment.
d. At a minimum, members of the ITS Security Office and Controller’s Office staff must be involved to adequately assess and vet providers before contracting.
e. Third-party Vendors or service providers contracted by a UI Merchant must supply a contract addendum or other certification assuring their compliance with the current PCI-DSS and/or PA-DSS as appropriate prior to contract execution.
f. Any storage of Cardholder Data after the transaction has been authorized must have prior approval of the Controller’s Office and must meet current PCI-DSS. An inventory of any storage locations for cardholder data must be kept current with the Controller’s Office.
D-3. Documentation, training, and background check requirements for personnel engaged in credit card processing activities.
a. All units that accept credit card payments will annually submit a written list of Operators within their Unit to the Controller’s Office and ITS. The list shall also include a description of procedures the unit follows to ensure that only the listed Operators have access to the unit’s credit card processing software and systems.
b. At the onset of employment, and annually thereafter, all owners, contacts and operators directly involved with acceptance or processing of payment card data for the University must complete a comprehensive PCI-DSS compliance and security awareness training as required by the Controller’s Office. Annual training must include a review of this policy and any standards set by management to ensure PCI compliance. Any unit specific processes or procedures must also be reviewed annually with each operator and internally documented by the unit for the SAQ.
c. All employees handling cardholder data are considered security sensitive under APM 50.16 and must have completed a criminal background check prior to employment.
D-4. Documentation of procedures. Any unit operating payment card systems must maintain documentation of all procedures for handling payment card data and systems consistent with PCI-DSS. This documentation must be reviewed and updated annually to meet PCI-DSS requirements, and, when required, be attached as evidence to the unit’s annual SAQ. Documentation required by PCI-DSS and this policy must be readily available during business hours upon the request of the Controller’s Office or the UI Computer Security Incident Response Team.
D-5. Inventory. Any unit operating payment card systems must maintain a list of current devices used to process credit cards or used in the cardholder environment and be aware of attempted tampering or replacement of devices. Each device must be appropriately labeled. This list must be supplied to the Controller’s Office annually.
a. The inventory list must include for each device:
1. Make and model of device
2. Physical location of device
3. Device serial number or asset tag
4. List of employees with explicit permission to use the device
b. The Controller’s Office must be notified immediately when
1. New devices are placed into service
2. Old devices are removed from service
3. A device’s physical location is permanently changed
D-6. Usage policies for critical technologies.
a. All critical technology used within the payment processing environment must be explicitly approved by the Controller’s Office and ITS Security Office and inventoried prior to operation.
b. Only employees trained in Merchant processes and this policy are permitted to use critical technology, and only if required by their job function.
c. All employees using critical technology must be authenticated with a unique user ID and password (or other authentication item or token).
d. All vendor employees requesting direct access to critical technology must be verified and approved prior to granting access for setup, troubleshooting, maintenance or repair services.
e. Critical technology must only be used for designated business purposes and not for general administrative use which might increase risk to the payment processing environment (e.g., no email, web surfing, instant messaging, etc.).
1. Devices must be regularly inspected, at least monthly, for tampering or substitution and documented on the UI PCI DSS Checklist. Inspections must validate
a. Location of device has not changed
b. Manufacturer’s name, model and serial number to inventory
c. Color and general description has not changed
d. No additional wires, attachments, overlays are attached
e. Number of connections into and out of the device has not changed
2. Documentation of inspection must be reviewed by a second employee and filed for future review.
f. Critical technology may only be used on networks approved and designated for payment card processing, analog phone line or approved third party service provider. Please contact ITS Security Office for review and approval. Critical technology equipment removed from approved networks supporting the payment card processes must have all cardholder data securely wiped from the device prior to removal to ensure secure information is not transported unprotected.
g. Remote access to critical technologies must:
1. Be limited to only uniquely identified employees or Vendors with a business need;
2. Be configured to automatically disconnect when inactive. Restrict Vendor access accounts to active monitoring, with immediate deactivation after use;
h. Copying, moving or storing cardholder data on local hard drives or removable electronic media is prohibited.
i. Immediately revoke access for any terminated users.
D-7. Security of and access to cardholder information.
a. Cardholder data must not be stored, shared or transmitted in any electronic format including, but not limited to, disc, network storage, email, portable hard drive, thumb-drive, and text message.
b. Under no circumstance will the CVC/CVV/CID code be stored digitally or on paper.
c. Credit card information must not be requested or accepted by email or any other digital messaging technology. If an email is received containing cardholder data it must be immediately deleted and removed from trash folders.
d. Define access needs for each role, including:
1. System components and data resources that each role needs to access for their job function.
2. Level of privilege required for accessing resources.
d. Access to stored cardholder data shall be restricted to board appointed employees on a need to know/use basis only. Temporary or student employees must not be granted access to sensitive cardholder information.
e. All UI forms that contain a section for cardholder data must be designed so that cardholder data can be immediately removed from the form and shredded or placed into UI provided and locked shred boxes once processed.
1. All forms containing cardholder data must be processed as soon as possible to reduce the duration of time information is stored.
2. If hard-copy cardholder data must be stored it shall be stored in securely locked storage for processing as soon as possible.
f. Cardholder data temporarily stored on paper must be immediately disposed of when entered by
1. Cross-cut shredding the information
2. Placing information into an approved Vendor supplied lockbox subsequently destroyed by the Vendor.
g. Use appropriate facility entry controls to limit and monitor physical access to systems. Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. See APM 95.13 for policy covering use of security cameras.
D-8. Reporting incidents. In the event of a suspected incident, event, or tampering potentially involving the exposure of cardholder data, immediate notification of the incident must be sent to the following groups:
- ITS Security Office (firstname.lastname@example.org or 208-885-1060)
- Controller’s Office (email@example.com or 208-885-7105)
- The owner for the Merchant ID
After the incident has been reported, it shall be investigated and escalated in accordance with the Technology Security Incident Response Plan and current PCI requirements.
D-9. Noncompliance. Failure to remain in compliance with the terms of this policy may result in the loss of the ability to process credit cards and the required payment of assessed fines/fees/penalties until PCI compliance has been regained to the satisfaction of the Controller’s Office and the ITS Security Office.
E. Process, procedure, and guidelines. Additional guidelines, processes, and procedures may be distributed or published by the Controller’s Office and ITS in support of this policy and current PCI standards. Please see their websites for current information:
F. Contact information. The Controller’s Office can assist with questions regarding this policy and PCI compliance. Phone: (208) 885-7105 or firstname.lastname@example.org.
Amended July 2022. Revised to meet the current requirements of the Payment Card Industry for processing, transmitting and disposing of cardholder data.
Amended July 2020. Revised to meet the current requirements of the Payment Card Industry for processing, transmitting and disposing of cardholder data.
Amended March 2017. Revised to meet the current requirements of the Payment Card Industry for processing, transmitting and disposing of cardholder data.
Adopted January 2016.