Versions Compared

Old Version 5

changes.mady.by.user Smithwick, Jen

Saved on

compared with

New Version 6

changes.mady.by.user Justin Freeman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

PCI Compliance Homepage PUT WITHIN TREASURY SECTION

As a business accepting card payments, Seattle Pacific University needs to take a number of steps to ensure we are protecting our customers, our business and reducing our exposure to fraud.

Annually, any department within the university who accepts payment via credit or debit card, must complete a PCI DSS self-assessment questionnaire to ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS). Finance and CIS are available to provide support to departments completing PCI DSS self assessment questionnaires and Finance will retain a copy of department’s completed questionnaires.

Policy

This policy addresses the people, processes and controls required to protect Cardholder Data (CHD) received, processed, transmitted, stored by, or stored on behalf of, Seattle Pacific University.

Overview

The PCI Security Standards Council is is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. They publish a set of standards for merchants to use to ensure secure handling of payment card transactions. The current standard is PCI DSS v4.0 published in March 2022. 

All card processing activities and related technologies must comply fully with the Payment Card Industry Data Security Standard (PCI DSS).

SPU Merchant Requirements

SPU schools and departments (SPU merchants) who accept payment via credit or debit cards, must:

  1. Use existing "Payment Gateway Service Providers" such as Nelnet/Commerce Manager and Blackbaud Merchant Services, where possible.

  2. Use "self service" (user initiated and completed) processes whenever possible to reduce the direct involvement of University employees in performing payment card transactions.

  3. When card-present or card-not-present transactions are required, implement an approved Point-to-Point-Encryted (P2PE) hardware solution e.g. using a Square reader.

    1. SPU provided laptops, desktop computers, mobile devices, and SPU network resources (wired, wireless, internet connection) can not be used to submit credit card transactions without an attached P2PE device.

    2. Devices personally-owned by a SPU staff member facilitating the transaction (laptops, desktop computers, mobile devices, tablets, smartphones, etc..) must not be used to submit credit card transactions.

  4. Eliminate payment card data from paper forms and processes.

  5. Not collect or store cardholder data in any system, database, document, worksheet, email, electronic or paper format ("data-at-rest").  This includes any computing device, file server, mobile device, thumb-drive, external storage device, etc.

  6. Not transmit cardholder data in email, SMS/text, FAX, instant messaging/chat, Telnt/FTP, SSH or any other electronic messaging or transmission system (whether encrypted or non-encrypted), except via approved P2PE mechanisms.

  7. Ensure all access to the cardholder data environment requires authorized credentials, unique and secure passwords, and proper login/logout procedures.  Group, shared, or generic usernames and passwords are prohibited. Default passwords for any and all transaction services and resources must be disabled and never used.

  8. Complete a PCI DSS self-assessment questionnaire to ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS) each year.

Please reach out to Finance before contracting with any Payment Gateway Service Provider or P2PE.

PCI DSS Self Assessment Questionnaires

Annually, SPU merchants must complete a PCI DSS self-assessment questionnaire to ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS).

SPU merchants shall be responsible for costs associated with PCI DSS compliance as well as any fines or other fees associated with their non-compliance.

All SPU merchant locations are required to validate PCI-DSS compliance at least annually by completing a PCI DSS self-assessment questionnaire (SAQ) in a timely manner. A questionnaire must be completed for each merchant account, and a new questionnaire must be filled out whenever any of the following have occurred:

  • payment processing system changes

  • a year has elapsed since your last SAQ

  • upon Finance request

The SAQ should be completed throughhttps://pcicompliancemanager.com/(provides step-by-step walkthrough of the questionnaire) or by downloading and filling out the relevant SAQ form.

There are 8 types of SAQ. Finance can help determine which type is required for your merchant location environment:

...

SAQ

...

Description

...

A

...

Card-not-present merchants (e-commerce or mail/telephone order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers

...

A-EP

...

​Merchants accepting only e-commerce transactions that have partially outsourced the e-commerce payment channel to compliant third parties; merchant’s website does not receive account data, but controls how customers, or their account data, are re-directed to the third-party.

...

B

...

Merchants using stand-alone, dial-out terminals

...

B-IP

...

Merchants using stand-alone PTS-approved payment terminals with an IP connection to the payment processor

...

C

...

Merchants with payment application systems connected to the Internet, no electronic cardholder data storage

...

C-VT

...

Merchants with web-based virtual payment terminals provided and hosted by a PCI DSS compliant third-party service provider

...

P2PE

...

All payment processing is via a validated PCI-listed P2PE solution

...

D

...

Merchants with electronic storage of cardholder data; all merchants not included in the descriptions for above SAQ types

...

D-SP

...

All service providers defined by a payment brand as SAQ-eligible

Definition of Terms

...

Term

...

Definition

...

Payment Card Industry - Data Security Standard (PCI DSS)

...

The PCI Security Standards Council publishes a set of standards for merchants to use to ensure secure handling of credit card transactions.

...

Cardholder Data (CD)

...

Name, card number/account number, expiration date, CVV2, CVC2, CID. In certain circumstances a portion of the card may be visible (final 4 or first 6 numbers). Includes both credit and debit cards.

...

Cardholder Data Environment (CDE)

...

Any system, process, person, contractor, consultant, or device involved in submitting or completing credit card transactions. Any server, database, application, or network that stores or transmits card holder data.

...

Point-of-sale devices (P2PE)

...

Point-to-Point-Encrypted devices that are hardware solutions that provide PCI grade encryption. Many options are available from USB add-on hardware, to stand alone devices that connect to ethernet ports or cellular service providers.

...

Merchant ID (MID)

...

The ID number that is provided by the bank or financial institution to the University.

...

Card Present Transaction

...

Card swipe/EMV chip read equipment at the time of transaction in the presence of the customer.

...

Card Not Present Transaction

...

Cardholder data entered by SPU staff based on information given over the phone, web, paper forms, or other means.

...

Self Service Transaction

...

Transactions initiated and performed by the cardholder in which no SPU personnel or equipment are involved in directly handling or transferring cardholder data e.g. web based via payment gateway.

...

SAQ

...

questionnaires

...

Procedures

PCI DSS stands for the Payment Card Industry Data Security Standards. These were written by the PCI Security Standards Council to set standards for protecting cardholder data.

PCI DSS is divided into 6 areas with 12 requirements.

...

Areas

...

Requirements

...

Responsible Party

...

Build and maintain a secure network and systems

...

Install and maintain a firewall configuration to protect cardholder data.

...

CIS

...

Do not use vendor-supplied defaults for system passwords and other security parameters.

SPU merchant

...

Protect cardholder data

...

Protect stored cardholder data.

...

SPU merchant

...

Encrypt transmission of cardholder data across open, public networks.

...

SPU merchant via using existing Payment Gateway Service Providers or P2PE hardware solutions.

...

Maintain a vulnerability management program

...

Protect all systems against malware and regularly update anti-virus software or programs.

...

CIS

...

Develop and maintain secure systems and applications.

...

CIS

...

Implement strong access control measures

...

Restrict access to cardholder data by business need to know.

...

SPU merchant

...

Identify and authenticate access to system components.

...

CIS / SPU merchant

...

Restrict physical access to cardholder data.

...

SPU merchant

...

Regularly monitor and test networks

...

Track and monitor all access to network resources and cardholder data.

...

CIS / SPU merchant

...

Regularly test security systems and processes.

...

CIS

...

Maintain an information security policy

...

Maintain a policy that addresses information security for all personnel.

...

CIS

Key Roles and Responsibilities in PCI Compliance

Everyone involved in processing payment card transactions plays a critical role in keeping the customer’s credit or debit card information secure.

Cardxxx

Managers

It is the responsibility of the managers to ensure that card payments are processed only on approved devices such as those which use point-to-point encryption (P2PE).

Managers must review reports on what the merchant location processed each day (high volume of transactions) or weekly (low volume of transactions) to check for accidental errors and any fraud.

Some merchant locations are small and don’t process many transactions, but it is still important to ensure that someone oversees the work of the individuals who handle payment transactions to ensure segregation of duties.

A manager is required to approve refunds.

What payment solutions does SPU use?

The PCI Security Standards Council determined that P2PE is the most secure way to process payment cards. It encrypts the card information at the point of the device (swipe, type, or chip), so no unencrypted cardholder data travels across the SPU network.

Utilizing P2PE reduces the PCI compliance costs and the effort required for your department.

SPU merchants must use P2PE devices to process payment data or Payment Gateway Service Providers.

To inquire about P2PE or Payment Gateway Service Provider solutions, contact Finance.

In person payments

Card Present Transactions

Card swipe or chip-insert at point of sale using a P2PE device. This must occur in view of the customer. CVVs must not be copied or stored.

When using a P2PE device, it is important to check it on a daily basis to ensure no one has tampered with it. When devices are not in use, they must be stored in a secure, locked location.

Never process payment cards by entering the card numbers directly on your computer’s keyboard. Only the use of approved PCI validated point-to-point encrypted (P2PE) devices are allowed to type in card numbers. The only exception to this rule is for approved users of Converge.

Card Not Present Transactions

SPU prohibits the acceptance of credit card information by fax, email or instant messenger. As a best practice, the University strongly discourages the acceptance of credit card information via mail or phone.

If legitimate business reasons exist to accept credit card information via mail or phone, first notify Finance who will work with you to ensure that your procedures are compliant with PCI DSS requirements.

  • If your department accepts paper forms with credit card information via mail, take precautions to protect the information.

  • Store information in a secure location inaccessible to unauthorized personnel, such as a safe in a locked room.

  • Clearly mark documents as containing sensitive information, for example, in a folder labeled “Confidential.”

  • After you have processed the payments, immediately shred the paper records using a cross-cut shredder. Do not tear paper by hand or use a straight-cut shredder. 

  • The use of a virtual terminal with a PCI validated P2PE device is the only permitted method of accepting card payments over the phone. The only The only exception to this rule is for approved users of Converge.

    • When accepting payments over the phone, it is critical that you do not enter in credit card numbers into your computer using your computer keyboard.

    • Never write down card holder information for processing at a later time.

Self-service payments

Online payments, or e-commerce payments, are a very popular way for customers to make donations, purchase tickets and other items.

Do not use self-service systems to submit cardholder data on behalf of the customer.

If a customer calls and wants help with an online payment page, you cannot go onto that page and complete the transaction for them over the phone. You must use a PCI validated P2PE device to take payments over the phone on campus (the only exception to this rule is for approved users of Converge).

Never recommend a customer uses public/shared systems for financial transactions i.e. do not direct customers to an SPU computer lab, classroom, or kiosk computer to enter their card information. Provide the URL where they can select a device of their choice to complete the transaction.

Internal Software

Many software systems are built to accept payments online. If you are a user of the software system and can access the customer database, be sure to immediately alert your supervisor if you are able to see cardholder information.

Password Management

PCI Security Standards Council requires you to update your software password at least every 90 days. Use complex passwords and never reuse passwords. Also, never use default passwords that sometimes come with software systems initially. Remember to keep your account log-in information secure, and don’t share it with others. If you provide someone else with access to your log-in information and that person violates the PCI DSS requirements or even causes a security breach, you may be held responsible.

P2PE devices

Device Inventory

Managers are responsible for keeping an accurate inventory of all devices that accept credit card payments in your department. Include each device’s make and model, location (for example, the address of the site or facility where the device is located), and the serial number or other method of unique identification. Be sure to update this list each time you dispose of a device or get a new one.

Device Disposal

Be careful when disposing of old equipment.

  • Return old payment card terminals to Finance for proper disposal.

  • “Wipe” or remove all information from hard drives before replacing, selling, or discarding workstations.

FAQs

What if cardholder data is sent to you unsolicited via email? Immediately notify the customer that the University does not accept cardholder data via email and provide alternative methods of completing the transaction. If email is sent back to the customer any cardholder data must be deleted from the return message. Delete the email (permanent delete from email store, deleted items, and recover deleted items after the customer has been notified. 

What cardholder data needs to be protected?

Account data or cardholder data that you need to protect includes—but is not limited to—the following:

  • card number, known as the Primary Account Number (PAN)

  • cardholder name

  • expiration date

  • customer’s payment address.

If your payment system involves swiping cards, you must also protect the data in the magnetic stripe and chip of credit and debit cards. Depending on your system, you may also receive card verification security codes (including CVV2, CID, CAV2, and CVC2). Those are the three- or four-digit codes that appear on the front or back of a card. These also must be treated as sensitive data. Cardholder data also includes the PINs or PIN blocks for debit card transactions.