...
Areas | Requirements | Responsible Party |
|---|---|---|
Build and maintain a secure network and systems | Install and maintain a firewall configuration to protect cardholder data.CIS | N/A - SPU does not allow unencrypted cardholder data to traverse the SPU network. |
Do not use vendor-supplied defaults for system passwords and other security parameters. | SPU merchant
| |
Protect cardholder data | Protect stored cardholder data. | SPU merchant |
Encrypt transmission of cardholder data across open, public networks. | SPU merchant via using existing Payment Gateway Service Providers or P2PE hardware solutions. | |
Maintain a vulnerability management program | Protect all systems against malware and regularly update anti-virus software or programs. | CIS |
Develop and maintain secure systems and applications. | CIS | |
Implement strong access control measures | Restrict access to cardholder data by business need-to-know. | SPU merchant |
Identify and authenticate access to system components. | CIS / SPU merchant | |
Restrict physical access to cardholder data. | SPU merchant | |
Regularly monitor and test networks | Track and monitor all access to network resources and cardholder data. | CIS / SPU merchant / CIS |
Regularly test security systems and processes. | CIS | |
Maintain an information security policy | Maintain a policy that addresses information security for all personnel. | CIS |
...
A manager is required to approve refunds.
CIS
CIS staff are to be involved in the designimplementation, development, maintenance, and administration of any systems that involve payment card transactions.
...
Never process payment cards by entering the card numbers directly on your computer’s keyboard. Only the P2PE devices are allowed to type in card numbers. The only exception to this rule is for approved users of Converge.
Card-Not-Present Transactions
...
If your department accepts paper forms with credit card information via mail, take precautions to protect the information.
Store information in a secure location inaccessible to unauthorized personnel, such as a safe in a locked room.
Clearly mark documents as containing sensitive information, for example, in a folder labeled “Confidential.”
After you have processed the payments, immediately shred the paper records using a cross-cut shredder. Do not tear paper by hand or use a straight-cut shredder.
The use of a virtual terminal with a PCI validated P2PE device is the only permitted method of accepting card payments over the phone. The only exception to this rule is for approved users of Converge.
When accepting payments over the phone, it is critical that you do not enter in credit card numbers into your computer using your computer keyboard.
Never write down cardholder information for processing at a later time.
...
If a customer calls and wants help with an online payment page, you cannot go onto that page and complete the transaction for them over the phone. You must use a PCI validated P2PE device to take payments over the phone on campus (the only exception to this rule is for approved users of Converge).
Never recommend a customer uses public/shared systems for financial transactions i.e. do not direct customers to an SPU computer lab, classroom, or kiosk computer to enter their card information. Provide the URL where they can select a device of their choice to complete the transaction.
...