Skip to content

Card Handling Policy

Policy No. To be determined

Approved: January 22, 2013

 

I. PURPOSE

The purpose of this policy is to protect payment card data and to comply with the Payment Card Industry Data Security Standards (PCI DSS) requirements for transmitting, handling, and storage of payment card data.

II. REFERENCES

Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 2.0 , October 2010, www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

III. DEFINITIONS

CVC2/CVV2  – A three or four digit value printed on the card or signature strip used for card validation or verification.

Degaussing  (erasure) – A process that renders previous data unrecoverable. Proper degaussing will ensure there are not sufficient magnetic remnants to reconstruct the data.

Cardholder data –  The Primary Account Number (PAN) by itself or in conjunction with the cardholder name, expiration date, or service code.

E‐Commerce  – Electronic commerce consists of the buying and selling of products or services over electronic systems such as the Internet or other computer networks.

Mask (or truncate)  – The practice of removing a data segment. Commonly, when account numbers are truncated, the first 12 digits are deleted, leaving only the last 4 digits while replacing the deleted numbers with asterisks (*).

Media  – Objects on which data can be stored. These include computers, removable electronic media, networking and communications hardware, telecommunications lines, paper receipts, paper reports, and faxes.

Payment Card  – An instrument used in lieu of cash in the form of a credit, debit, or charge card.

Payment Card Industry Data Security Standards (PCI DSS)  – Data security standards developed by the major payment card companies (Visa, MasterCard, Discover, American Express and JCB) to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.

Payment Application Data Security Standards (PA DSS)  – Data security standards derived from PCI DSS as a guideline for software vendors and other developed secure payment applications that do not store sensitive authentication data, and ensure their payment applications support compliance with the PCI DSS.

Payment Card Merchant  – A department or other auxiliary which has been set up through a financial institution with the ability to accept payment cards as payment for goods or services.

Payment Gateway  – Facilitates the transfer of payment card transaction information between a payment portal (such as a website) and the acquiring bank. PCI Compliance Committee  – Committee comprised of employees from the College’s Information Technology (IT) Department and Business Office charged with ensuring the College’s compliance with PCI DSS. Primary Account Number (PAN)  – Unique payment card number that identifies the issuer and the particular cardholder account.

POS device  – The hardware and/or software used to process payments and transactions at merchant locations. Sensitive Authentication Data  – Security related information (including but not limited to card validation codes/values (CVC2/CVV2), full magnetic‐ stripe data, PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.

IV. POLICY

a) All departments and other auxiliaries within the College that function as a payment card merchant must comply with established security control measures including:

1. Approval from the College Controller (unless the Controller is the chair of the PCI committee) and PCI Compliance Committee before entering into any contract or purchase of software and/or equipment that involve payment cards. This requirement applies regardless of the transaction method or technology used.

2. Compliance with College Purchasing policies (www.snow.edu/purchasing/).

3. Notification to the Chief Information Officer of all technology implementations.

4. Establishment of payment card handling procedures for safeguarding cardholder data. This pertains to ALL transactions initiated via the telephone, over the counter, mail order, ecommerce, etc.

5. Compliance with Payment Card Industry Data Security Standards (PCI DSS).

6. Participation in an annual security self‐ assessment conducted by the Payment Card Merchant in conjunction with the PCI Compliance Committee and reported to the Vice President of Finance and Administrative Services to ensure compliance with this policy and associated procedures.

7. Payment applications and POS devices implemented must be PA DSS validated.

b) All e‐ commerce payments must be processed through a College approved payment gateway, unless an exemption has been approved by the PCI Compliance Committee.

1. A department or other auxiliary of the College shall not enter into an outsourcing agreement with a third‐ party provider, including software applications, for payment card processing until such an agreement is first approved by the Controller in conjunction with the PCI Compliance

Committee.

c) All cardholder data and customer information must be kept secure and confidential at all times.

1. Payment card receipts should be treated in the same manner as cash.

2. All media containing cardholder data must be maintained in a secure environment limited to authorized staff. Secure environments include locked drawers, file cabinets in locked offices, safes, and encrypted electronic storage devices.

i. Payment card merchants who accept mail or phone payments must immediately destroy any paper notes that contain the cardholder’s PAN once the transaction is completed.

3. Sensitive authentication data must never be stored on computers or networks.

4. The PAN and expiration date must be truncated, masked, or encrypted wherever it is electronically stored.

5. Cardholder data must be transmitted or delivered in a secured manner, such as SSL encryption, or sealed envelopes through the US postal service or equivalent.

i. No cardholder data is permitted to be received via facsimile.

6. Cardholder data must never be sent or accepted over email.

7. Cardholder data must never be sent or accepted over voicemail.

8. Cardholder data must not be stored in spreadsheets, word processing documents, personal databases, text files, or other types of data storage mechanisms.

9. The payment card merchant must use processing equipment that produces receipts with a masked (or truncated) cardholder’s PAN. Payment card merchants must mask the cardholder’s PAN on the customer’s receipt and should also mask the merchant’s copy of the receipt if there is no business constraint.

10. The level of security controls applied to the College’s network must at least match the highest level of classification of the data being transmitted.

11. All personnel involved in payment card handling are required to attend payment card handling security training at least annually conducted by the PCI Compliance Committee.

d) All cardholder data and customer information must be protected from unauthorized access.

1. Physical and electronic access to payment card processing and cardholder data must be restricted to appropriate and approved personnel.

2. Background checks must be performed in accordance with the Criminal Background Checks Policy 13.2.2 (www.snow.edu/hr/pdf/13.2.2.pdf).

3. Appropriate segregation of duties must be established between payment card processing (including refunds) and the reconciliation function. Supervisory approval of all payment card refunds is required.

4. The Chief Information Officer must be notified prior to implementation of any technology changes affecting payment card transaction processing associated with the merchant account.

5. Proper user authentication and password management must be in place as required by PCI DSS and the College Information Security Policy (www.snow.edu/itsecurity/).

6. All access to cardholder data must be logged and monitored.

e) All breaches in security regarding cardholder data must be reported to the Vice President of Finance and Administrative Services, the Chief Information Officer and the Information Security Officer immediately upon discovery.

f) Self assessments and testing must be performed to ensure compliance with PCI DSS.

1. Payment card handling procedures and equipment are subject to audit by the College Internal Audit department and external audit or Payment Card review firms.

2. An annual PCI DSS self‐ assessment and periodic network‐ based vulnerability scans must be conducted to ensure security controls are in place to protect the technology implementations.

3. The results of the annual self‐ assessment must be reported to the Vice President of Finance and Administrative Services and the Chief Information Officer.

4. Departments not complying with approved safeguarding, storage, and processing procedures may lose the privilege to serve as a payment card merchant.

g) Payment card transaction records and cardholder data must be retained and destroyed appropriately.

1. Original sales receipts and all supporting documentation must be retained as established by the Utah Code  Section 63A‐ 12 or State Agency General Records Retention Schedule.

i. All paper documentation containing cardholder data must be destroyed in a manner that will render it unreadable, e.g. cross‐ cut shredding.

ii. All electronic cardholder data must be rendered unreadable by destroying the media on which it is stored, e.g. drilling holes in the media or when cost‐ effective degaussing.

h) Payment Card Merchants with Payment Cards that have been inadvertently left and remain unclaimed:

1. May return a Payment Card inadvertently left at their location, to the Cardholder, until the close of the business day. A Payment Card may only be returned to the cardholder if positive identification is provided.

i. A Payment Card not claimed by the cardholder by the close of the business day must be processed in accordance with the applicable merchant agreement (e.g. following the lost Payment Card instructions on the back of a Payment Card or send the Payment Card to the College Cashier’s Office to be placed in the vault until claimed).