Credit Card Handling & Compliance Procedures
The following procedures are intended to support the universities Payment Card Industry (PCI) Data Security Standard (DSS) compliance efforts and should be reviewed annually and updated as appropriate:
- An annual risk assessment of all areas (and corresponding vendors) taking credit cards as payment or supporting the credit card payment environment will be coordinated through the office of the Chief Technology Security Officer and the Business Office. Policies, procedures and training will be updated as appropriate.
- Vendors processing, transmitting or storing cardholder data on behalf of the university must provide annual evidence of their compliance with PCI DSS.
- Information security contract language must be added to all contracts that provide access to university systems, data, sensitive areas (such as data centers, wiring closets, etc.) or provide custom development on behalf of the university. The agreement should include an acknowledgement that the service provider is responsible for the security of cardholder data the provider possesses.
- Non-encrypted cardholder data may not be taken outside the university and may not be provided to non-approved outside entities (such as 3rd party vendors providing processing, analysis, etc.). University merchants can work with the business office to get a vendor approved. University approved vendors are: Paypal, Authorize.net, Global Payments and Illinois Funds E-PAY
- Areas wishing to purchase applications that process, transmit or store cardholder data must insist that the vendor provide evidence that the application has been assessed against PCI Payment Application Data Security Standards (PA-DSS) and that the vendor has provided a PA-DSS implementation guide (where configuration options are provided) that shows how the application needs to be configured to maintain or achieve compliance.
- Quarterly network scans conducted by a PCI Approved Scanning Vendor (ASV) are required.
- Performing an external penetration testing at least once a year and after any significant infrastructure or application upgrade or modification. Including both a Network-layer penetration test and an Application-layer penetration test.
- Ensure that web-facing applications are protected against known attacks by having custom application code reviewed for common vulnerabilities by an organization that specializes in application security or installing an application layer firewall in front of web-facing applications.
- The business office and office of the CTSO will provide annual training on the proper use of credit cards. All employees that work in areas that take credit cards as payment must signoff annually that they’ve received this training.
Credit Card Data Retention and Disposal Procedures
Payment Card Industry (PCI) Data Security Standard (DSS) requirement 3.1 requires that the university maintain and adhere to a data retention and disposal procedures. The purpose of this procedure is to ensure that records that are no longer needed are discarded appropriately and in a timely fashion. Each area that takes credit cards as payment must periodically (minimally annually) review these procedures to determine any circumstances that necessitate changes in the way they retain or dispose of cardholder data.
Lack of compliance may result in fines of $25,000 per merchant per month and may eventually result in the loss of merchant privileges.
The state of Illinois defines credit card records as receipts and defines the following retention guidelines.
|Cardholder Data Transmission, Retention and Disposal||State of Illinois Guidance|
|Credit/Debit card data (Name, Authorization Code, Authorization Date)||3 years|
|Credit/Debit card data (Last 4 digits of account number)||3 years|
|Full credit card account number||3 years (encryption required prior to storage)|
|Credit/Debit card data (magnetic stripe track data, card validation code, PIN)||Never stored|
|Cardholder data over electronic mail, instant messaging, text messaging, chat, blogging and voice-mail||Encryption required prior to transmission|
|Cardholder data over a wireless network||May only be transmitted over secure wireless|
|Cardholder data over unsecure protocols (telnet, ftp, etc.)||Encryption required prior to transmission|
Credit Card Data Disposal:
Cardholder data maintained on paper should be shredded as soon as business conditions allow but not more than the guidance provided by the state of Illinois. If cardholder data must be maintained on paper for any period of time caution must be taken to ensure control and protection of the document. Including:
- Minimizing who has access to the document;
- Ensuring that disallowed data (card validation code, PIN) is not present;
- Concealing all but the last four (4) digits of the cardholder account number; and
- Maintaining the paper document in a locked secure area with limited controlled access.
Cardholder data maintained electronically should be eliminated as soon as business conditions allow but not more than the guidance provided by the state of Illinois. If cardholder data must be maintained electronically for any period of time caution must be taken to ensure control and protection of the document. Electronic cardholder data presents additional challenges to data maintained on paper. So in addition to the items mentioned for cardholder data maintained on paper the following require consideration for cardholder data maintained electronically:
- If business conditions allow eliminate the electronic retention of cardholder data.
- If business conditions allow concealing or removing as much of the cardholder data as possible (for example, removing all but the last 4 digits of the cardholder account number).
- Encrypt or one-way hash cardholder data prior to storage.
- Do not make backup copies of unencrypted cardholder data*
- Cardholder data must not be transmitted via or stored on electronic mail, instant messaging, text messaging, blogging and voice-mail
- Cardholder data must not be transmitted via unsecure protocols (such as telnet, FTP, etc.)
- Cardholder data must not be transmitted over an unsecure wireless network
- Regardless if you think your old computer holds or does not hold cardholder data, ensure proper disposal of end of life computer equipment by adhering to WIU's computer disposal policy.