PCI Security Standards Council
The PCI Security Standards Council is is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. They publish a set of standards for merchants to use to ensure secure handling of credit card transactions. The current standard is PCI DSS v3.2.1 published in May 2018.
SPU PCI DSS Requirements
The University is obligated to handle credit card transactions securely. The responsibility for PCI DSS compliance is shared among all departments and individuals that handle cardholder data on behalf of the University and we should view compliance as a part of normal business practice.
Requirements for SPU PCI DSS compliance:
- Narrow the PCI "scope" for protecting the credit card data flows during the transaction and processing of payments. There are four strategies used to narrow the scope:
- Use existing "Payment Gateway Service Providers" such as Nelnet/Commerce Manager and Blackbaud Merchant Services.
- Use "self service" (user initiated and completed) processes whenever possible to reduce the direct involvement of University employees in performing credit card transactions.
- When card-present or card-not-present transactions are required – implement an approved Point-to-Point-Encrypted (P2PE) hardware solution.
- Eliminate payment card data from paper forms and processes.
- Do not collect or store cardholder data in any system, database, document, worksheet, email, electronic or paper format ("data-at-rest"). This includes any computing device, file server, mobile device, thumb-drive, external storage device, etc...
- Do not transmit cardholder data in email, SMS/text, FAX, instant messaging/chat, Telnt/FTP, SSH or any other electronic messaging or transmission system (whether encrypted or non-encrypted), except via approved P2PE mechanisms ("data-in-transit").
- All employees, contractors, consultants, or individuals working with or processing credit card data on behalf of the University must be explicitly authorized and properly trained to do so.
- All access to the cardholder data environment requires authorized credentials, unique and secure passwords, and proper login/logout procedures. Group, shared, or generic usernames and passwords are prohibited. Default passwords for any and all transaction services and resources must be disabled and never used.
- Complete a PCI DSS "self assessment" for campus merchant/department handling of credit card transactions.
SPU Policies and Procedures for Credit Card Handling
SPU Merchant/Departmental credit card transaction procedures:
- SPU provided laptops, desktop computers, mobile devices, and SPU network resources (wired, wireless, internet connection) can NOT be used to submit credit card transactions without an attached P2PE device.
- Devices personally-owned by the SPU staff member facilitating the transaction (laptops, desktop computers, mobile devices, tablets, smartphones, etc..) must NOT be used to submit credit card transactions.
- P2PE devices are required for:
- Card-Present procedures: card-swipe or chip-insert at point of sale (P2PE device) with process in view of the customer. CVV must not be copied or stored.
- Card-Not-present procedures (phone, postal mail, etc): card-entry at point of sale (P2PE device) on dedicated touch-pad.
- Never use existing “self-service” systems to submit credit card data on behalf of the customer (you can use “Converge” during this transition to P2PE devices, but don not use the self-service systems).
- If cardholder data is sent to you unsolicited via email -- immediately notify the customer that the University does not accept credit card data via email and provide alternative methods of completing the transaction. If email is sent back to the customer any credit card data must be deleted from the return message. Delete the email (permanent delete from email store, deleted items, and recover deleted items (DELETE/SHIFT) after the customer has been notified.
- DO NOT direct customers to an SPU computer lab, classroom, or kiosk computer to enter their credit card information. Provide the URL where they can select a device of their choice to complete the transaction. We never recommend using public/shared systems for financial transactions, for SPU transactions or otherwise.
- All departments will complete appropriate reconciliation and submittal of transaction charges on a timely basis (generally daily). Transactions are not to be held and batched at a later time.
- Procedures for disputes, chargebacks, and credits – handled individually by the Finance Office
Definition of Terms
Term | Definition |
---|---|
PCI DSS | Payment Card Industry - Data Security Standard (PCI DSS) The PCI Security Standards Council publishes a set of standards for merchants to use to ensure secure handling of credit card transactions. The current standard is PCI DSS v3.2.1 |
Cardholder Data (CD) | Name, card number/account number, expiration date, CVV2, CVC2, CID. In certain circumstances a portion of the card may be visible (final 4 or first 6 numbers). Includes both credit and debit cards. |
Cardholder Data Environment (CDE) | Any system, process, person, contractor, consultant, or device involved in submitting or completing credit card transactions. Any server, database, application, or network that stores or transmits card holder data. |
In-Scope vs. Out-of-scope | "In-scope" = any CDE that is under the control of the university and directly involved in the processing or submission of card holder data. "Out-of-scope" = transaction elements outside the control of the university (compliance rests with the outside resource or agent). |
Point-of-sale devices | P2PE -- Point-to-Point-Encrypted devices that are hardware solutions that provide PCI grade encryption. Many options are available from USB add-on hardware, to stand alone devices that connect to ethernet ports or cellular service providers. |
Merchant ID (MID) | The ID number that is provided by the bank or financial institution to the University. |
Card Swipe/EMV Reader | In a card-present transaction the card reader gathers cardholder data when the magnetic stripe is swiped. EMV stands for Europay, MasterCard, and Visa, the three companies that originally created the standard and refers to the security "chip" that is embedded in most credit cards. |
Types of transactions | There are many type of transaction performed on campus:
|
QSA | A "Qualified Security Assessor" (QSA) is a person who has been certified by the PCI Security Standards Council to audit merchants for Payment Card Industry Data Security Standard (PCI DSS) compliance. |
SAQ | A "Self Assessment Questionnaire" (SAQ) includes a series of questions for each applicable PCI Data Security Standard requirement. There are different questionnaires available to meet different merchant environments. |