...
Use existing "Payment Gateway Service Providers" such as Nelnet/Commerce Manager and Blackbaud Merchant Services, where possible.
Use "self service" (user initiated and completed) processes whenever possible to reduce the direct involvement of University employees in performing payment card transactions.
When card-present or card-not-present transactions are required, implement an approved Point-to-Point-Encryted (P2PE) hardware solution e.g. using Square servicesa Square reader.
SPU provided laptops, desktop computers, mobile devices, and SPU network resources (wired, wireless, internet connection) can not be used to submit credit card transactions without an attached P2PE device.
Devices personally-owned by a SPU staff member facilitating the transaction (laptops, desktop computers, mobile devices, tablets, smartphones, etc..) must not be used to submit credit card transactions.
Eliminate payment card data from paper forms and processes.
Do not Not collect or store cardholder data in any system, database, document, worksheet, email, electronic or paper format ("data-at-rest"). This includes any computing device, file server, mobile device, thumb-drive, external storage device, etc.
Do not Not transmit cardholder data in email, SMS/text, FAX, instant messaging/chat, Telnt/FTP, SSH or any other electronic messaging or transmission system (whether encrypted or non-encrypted), except via approved P2PE mechanisms.
Ensure all access to the cardholder data environment requires authorized credentials, unique and secure passwords, and proper login/logout procedures. Group, shared, or generic usernames and passwords are prohibited. Default passwords for any and all transaction services and resources must be disabled and never used.
Complete a PCI DSS self-assessment questionnaire to ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS) each year.
...
Annually, SPU merchants must complete a PCI DSS self-assessment questionnaire to ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS).
SPU Merchants merchants shall be responsible for costs associated with PCI DSS compliance as well as any fines or other fees associated with their non-compliance.
...
The SAQ should be completed throughhttps://pcicompliancemanager.com/(provides step-by-step walkthrough of the questionnaire) or by downloading and filling out the relevant SAQ form.
There are 8 types of SAQ. Finance can help determine which type is required for your merchant location environment:
SAQ | Description |
|---|---|
A | Card-not-present merchants (e-commerce or mail/telephone order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers |
A-EP | Merchants accepting only e-commerce transactions that have partially outsourced the e-commerce payment channel to compliant third parties; merchant’s website does not receive account data, but controls how customers, or their account data, are re-directed to the third-party. |
B | Merchants using stand-alone, dial-out terminals |
B-IP | Merchants using stand-alone PTS-approved payment terminals with an IP connection to the payment processor |
C | Merchants with payment application systems connected to the Internet, no electronic cardholder data storage |
C-VT | Merchants with web-based virtual payment terminals provided and hosted by a PCI DSS compliant third-party service provider |
P2PE | All payment processing is via a validated PCI-listed P2PE solution |
D | Merchants with electronic storage of cardholder data; all merchants not included in the descriptions for above SAQ types |
D-SP | All service providers defined by a payment brand as SAQ-eligible |
...
SPU provided laptops, desktop computers, mobile devices, and SPU network resources (wired, wireless, internet connection) can NOT be used to submit credit card transactions without an attached P2PE device.
Devices personally-owned by the SPU staff member facilitating the transaction (laptops, desktop computers, mobile devices, tablets, smartphones, etc..) must NOT be used to submit credit card transactions.
P2PE devices are required for:
Card-Present procedures: card-swipe or chip-insert at point of sale (P2PE device) with process in view of the customer. CVV must not be copied or stored.
Card-Not-present procedures (phone, postal mail, etc): card-entry at point of sale (P2PE device) on dedicated touch-pad.
Never use existing “self-service” systems to submit credit card data on behalf of the customer (you can use “Converge” during this transition to P2PE devices, but don not use the self-service systems).
If cardholder data is sent to you unsolicited via email -- immediately notify the customer that the University does not accept credit card data via email and provide alternative methods of completing the transaction. If email is sent back to the customer any credit card data must be deleted from the return message. Delete the email (permanent delete from email store, deleted items, and recover deleted items (DELETE/SHIFT) after the customer has been notified.
DO NOT direct customers to an SPU computer lab, classroom, or kiosk computer to enter their credit card information. Provide the URL where they can select a device of their choice to complete the transaction. We never recommend using public/shared systems for financial transactions, for SPU transactions or otherwise.
All departments will complete appropriate reconciliation and submittal of transaction charges on a timely basis (generally daily). Transactions are not to be held and batched at a later time.
Definition of Terms
Term | Definition |
|---|---|
Payment Card Industry - Data Security Standard (PCI DSS) | The PCI Security Standards Council publishes a set of standards for merchants to use to ensure secure handling of credit card transactions. |
Cardholder Data (CD) | Name, card number/account number, expiration date, CVV2, CVC2, CID. In certain circumstances a portion of the card may be visible (final 4 or first 6 numbers). Includes both credit and debit cards. |
Cardholder Data Environment (CDE) | Any system, process, person, contractor, consultant, or device involved in submitting or completing credit card transactions. Any server, database, application, or network that stores or transmits card holder data. |
Point-of-sale devices (P2PE) | Point-to-Point-Encrypted devices that are hardware solutions that provide PCI grade encryption. Many options are available from USB add-on hardware, to stand alone devices that connect to ethernet ports or cellular service providers. |
Merchant ID (MID) | The ID number that is provided by the bank or financial institution to the University. |
Card Present Transaction | Card swipe/EMV chip read equipment at the time of transaction in the presence of the customer. |
Card Not Present Transaction | Cardholder data entered by SPU staff based on information given over the phone, web, paper forms, or other means. |
Self Service Transaction | Transactions initiated and performed by the cardholder in which no SPU personnel or equipment are involved in directly handling or transferring cardholder data e.g. web based via payment gateway. |
SAQ | A "Self Assessment Questionnaire" (SAQ) includes a series of questions for each applicable PCI Data Security Standard requirement. There are different questionnaires available to meet different merchant environments. |
Procedures
PCI DSS stands for the Payment Card Industry Data Security Standards. These were written by the PCI Security Standards Council to set standards for protecting cardholder data.
PCI DSS is divided into 6 areas with 12 requirements.
Areas | Requirements | Responsible Party |
|---|---|---|
Build and maintain a secure network and systems | Install and maintain a firewall configuration to protect cardholder data. | CIS |
Do not use vendor-supplied defaults for system passwords and other security parameters. | SPU merchant | |
Protect cardholder data | Protect stored cardholder data. | SPU merchant |
Encrypt transmission of cardholder data across open, public networks. | SPU merchant via using existing Payment Gateway Service Providers or P2PE hardware solutions. | |
Maintain a vulnerability management program | Protect all systems against malware and regularly update anti-virus software or programs. | CIS |
Develop and maintain secure systems and applications. | CIS | |
Implement strong access control measures | Restrict access to cardholder data by business need to know. | SPU merchant |
Identify and authenticate access to system components. | CIS / SPU merchant | |
Restrict physical access to cardholder data. | SPU merchant | |
Regularly monitor and test networks | Track and monitor all access to network resources and cardholder data. | CIS / SPU merchant |
Regularly test security systems and processes. | CIS | |
Maintain an information security policy | Maintain a policy that addresses information security for all personnel. | CIS |
Key Roles and Responsibilities in PCI Compliance
Everyone involved in processing payment card transactions plays a critical role in keeping the customer’s credit or debit card information secure.
Cardxxx
Managers
It is the responsibility of the managers to ensure that card payments are processed only on approved devices such as those which use point-to-point encryption (P2PE).
Managers must review reports on what the merchant location processed each day (high volume of transactions) or weekly (low volume of transactions) to check for accidental errors and any fraud.
Some merchant locations are small and don’t process many transactions, but it is still important to ensure that someone oversees the work of the individuals who handle payment transactions to ensure segregation of duties.
A manager is required to approve refunds.
What payment solutions does SPU use?
The PCI Security Standards Council determined that P2PE is the most secure way to process payment cards. It encrypts the card information at the point of the device (swipe, type, or chip), so no unencrypted cardholder data travels across the SPU network.
Utilizing P2PE reduces the PCI compliance costs and the effort required for your department.
SPU merchants must use P2PE devices to process payment data or Payment Gateway Service Providers.
To inquire about P2PE or Payment Gateway Service Provider solutions, contact Finance.
In person payments
Card Present Transactions
Card swipe or chip-insert at point of sale using a P2PE device.
...
This must occur in view of the customer. CVVs must not be copied or stored.
When using a P2PE device, it is important to check it on a daily basis to ensure no one has tampered with it. When devices are not in use, they must be stored in a secure, locked location.
Never process payment cards by entering the card numbers directly on your computer’s keyboard. Only the use of approved PCI validated point-to-point encrypted (P2PE) devices are allowed to type in card numbers. The only exception to this rule is for approved users of Converge.
Card Not Present Transactions
SPU prohibits the acceptance of credit card information by fax, email or instant messenger. As a best practice, the University strongly discourages the acceptance of credit card information via mail or phone.
If legitimate business reasons exist to accept credit card information via mail or phone, first notify Finance who will work with you to ensure that your procedures are compliant with PCI DSS requirements.
If your department accepts paper forms with credit card information via mail, take precautions to protect the information.
Store information in a secure location inaccessible to unauthorized personnel, such as a safe in a locked room.
Clearly mark documents as containing sensitive information, for example, in a folder labeled “Confidential.”
After you have processed the payments, immediately shred the paper records using a cross-cut shredder. Do not tear paper by hand or use a straight-cut shredder.
The use of a virtual terminal with a PCI validated P2PE device is the only permitted method of accepting card payments over the phone. The only The only exception to this rule is for approved users of Converge.
When accepting payments over the phone, it is critical that you do not enter in credit card numbers into your computer using your computer keyboard.
Never write down card holder information for processing at a later time.
Self-service payments
Online payments, or e-commerce payments, are a very popular way for customers to make donations, purchase tickets and other items.
Do not use self-service systems to submit cardholder data on behalf of the customer.
If a customer calls and wants help with an online payment page, you cannot go onto that page and complete the transaction for them over the phone. You must use a PCI validated P2PE device to take payments over the phone on campus (the only exception to this rule is for approved users of Converge).
Never recommend a customer uses public/shared systems for financial transactions i.e. do not direct customers to an SPU computer lab, classroom, or kiosk computer to enter their card information. Provide the URL where they can select a device of their choice to complete the transaction.
Internal Software
Many software systems are built to accept payments online. If you are a user of the software system and can access the customer database, be sure to immediately alert your supervisor if you are able to see cardholder information.
Password Management
PCI Security Standards Council requires you to update your software password at least every 90 days. Use complex passwords and never reuse passwords. Also, never use default passwords that sometimes come with software systems initially. Remember to keep your account log-in information secure, and don’t share it with others. If you provide someone else with access to your log-in information and that person violates the PCI DSS requirements or even causes a security breach, you may be held responsible.
P2PE devices
Device Inventory
Managers are responsible for keeping an accurate inventory of all devices that accept credit card payments in your department. Include each device’s make and model, location (for example, the address of the site or facility where the device is located), and the serial number or other method of unique identification. Be sure to update this list each time you dispose of a device or get a new one.
Device Disposal
Be careful when disposing of old equipment.
Return old payment card terminals to Finance for proper disposal.
“Wipe” or remove all information from hard drives before replacing, selling, or discarding workstations.
FAQs
What if cardholder data is sent to you unsolicited via email? Immediately notify the customer that the University does not accept cardholder data via email and provide alternative methods of completing the transaction. If email is sent back to the customer any cardholder data must be deleted from the return message. Delete the email (permanent delete from email store, deleted items, and recover deleted items after the customer has been notified.
What cardholder data needs to be protected?
Account data or cardholder data that you need to protect includes—but is not limited to—the following:
card number, known as the Primary Account Number (PAN)
cardholder name
expiration date
customer’s payment address.
If your payment system involves swiping cards, you must also protect the data in the magnetic stripe and chip of credit and debit cards. Depending on your system, you may also receive card verification security codes (including CVV2, CID, CAV2, and CVC2). Those are the three- or four-digit codes that appear on the front or back of a card. These also must be treated as sensitive data. Cardholder data also includes the PINs or PIN blocks for debit card transactions.