Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

PCI Compliance Homepage PUT WITHIN TREASURY SECTION

As a business accepting card payments, Seattle Pacific University needs to take a number of steps to ensure we are protecting our customers, our business and reducing our exposure to fraud.

Annually, any department within the university who accepts payment via credit or debit card, must complete a PCI DSS self-assessment questionnaire to ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS). Finance and CIS are available to provide support to departments completing PCI DSS self assessment questionnaires and Finance will retain a copy of department’s completed questionnaires.

Policy

This policy addresses the people, processes and controls required to protect Cardholder Data (CHD) received, processed, transmitted, stored by, or stored on behalf of, Seattle Pacific University.

Overview

The PCI Security Standards Council is is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. They publish a set of standards for merchants to use to ensure secure handling of payment card transactions. The current standard is PCI DSS v4.0 published in March 2022. 

All card processing activities and related technologies must comply fully with the Payment Card Industry Data Security Standard (PCI DSS).

SPU Merchant Requirements

SPU schools and departments (SPU merchants) who accept payment via credit or debit cards, must:

  1. Use existing "Payment Gateway Service Providers" such as Nelnet/Commerce Manager and Blackbaud Merchant Services.

  2. Use "self service" (user initiated and completed) processes whenever possible to reduce the direct involvement of University employees in performing payment card transactions.

  3. When card-present or card-not-present transactions are required, implement an approved Point-to-Point-Encryted (P2PE) hardware solution e.g. using Square services.

  4. Eliminate payment card data from paper forms and processes.

  5. Do not collect or store cardholder data in any system, database, document, worksheet, email, electronic or paper format ("data-at-rest").  This includes any computing device, file server, mobile device, thumb-drive, external storage device, etc.

  6. Do not transmit cardholder data in email, SMS/text, FAX, instant messaging/chat, Telnt/FTP, SSH or any other electronic messaging or transmission system (whether encrypted or non-encrypted), except via approved P2PE mechanisms.

  7. Ensure all access to the cardholder data environment requires authorized credentials, unique and secure passwords, and proper login/logout procedures.  Group, shared, or generic usernames and passwords are prohibited. Default passwords for any and all transaction services and resources must be disabled and never used.

  8. Complete a PCI DSS self-assessment questionnaire to ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS) each year.

Please reach out to Finance before contracting with any Payment Gateway Service Provider or P2PE.

PCI DSS Self Assessment Questionnaires

Annually, SPU merchants must complete a PCI DSS self-assessment questionnaire to ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS).

SPU Merchants shall be responsible for costs associated with PCI DSS compliance as well as any fines or other fees associated with their non-compliance.

All SPU merchant locations are required to validate PCI-DSS compliance at least annually by completing a PCI DSS self-assessment questionnaire (SAQ) in a timely manner. A questionnaire must be completed for each merchant account, and a new questionnaire must be filled out whenever any of the following have occurred:

  • payment processing system changes

  • a year has elapsed since your last SAQ

  • upon Finance request

The SAQ should be completed throughhttps://pcicompliancemanager.com/.

There are 8 types of SAQ. Finance can help determine which type is required for your merchant location environment:

SAQ

Description

A

Card-not-present merchants (e-commerce or mail/telephone order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers

A-EP

​Merchants accepting only e-commerce transactions that have partially outsourced the e-commerce payment channel to compliant third parties; merchant’s website does not receive account data, but controls how customers, or their account data, are re-directed to the third-party.

B

Merchants using stand-alone, dial-out terminals

B-IP

Merchants using stand-alone PTS-approved payment terminals with an IP connection to the payment processor

C

Merchants with payment application systems connected to the Internet, no electronic cardholder data storage

C-VT

Merchants with web-based virtual payment terminals provided and hosted by a PCI DSS compliant third-party service provider

P2PE

All payment processing is via a validated PCI-listed P2PE solution

D

Merchants with electronic storage of cardholder data; all merchants not included in the descriptions for above SAQ types

D-SP

All service providers defined by a payment brand as SAQ-eligible

SPU Merchant/Departmental credit card transaction procedures:

  1. SPU provided laptops, desktop computers, mobile devices, and SPU network resources (wired, wireless, internet connection) can NOT be used to submit credit card transactions without an attached P2PE device.

  2. Devices personally-owned by the SPU staff member facilitating the transaction (laptops, desktop computers, mobile devices, tablets, smartphones, etc..) must NOT be used to submit credit card transactions.

  3. P2PE devices are required for:

    1. Card-Present procedures: card-swipe or chip-insert at point of sale (P2PE device) with process in view of the customer. CVV must not be copied or stored.

    2. Card-Not-present procedures (phone, postal mail, etc): card-entry at point of sale (P2PE device) on dedicated touch-pad.

  4. Never use existing “self-service” systems to submit credit card data on behalf of the customer (you can use “Converge” during this transition to P2PE devices, but don not use the self-service systems).

  5. If cardholder data is sent to you unsolicited via email -- immediately notify the customer that the University does not accept credit card data via email and provide alternative methods of completing the transaction. If email is sent back to the customer any credit card data must be deleted from the return message. Delete the email (permanent delete from email store, deleted items, and recover deleted items (DELETE/SHIFT) after the customer has been notified. 

  6. DO NOT direct customers to an SPU computer lab, classroom, or kiosk computer to enter their credit card information. Provide the URL where they can select a device of their choice to complete the transaction. We never recommend using public/shared systems for financial transactions, for SPU transactions or otherwise.

  7. All departments will complete appropriate reconciliation and submittal of transaction charges on a timely basis (generally daily). Transactions are not to be held and batched at a later time.

Definition of Terms

Term

Definition

Payment Card Industry - Data Security Standard (PCI DSS)

The PCI Security Standards Council publishes a set of standards for merchants to use to ensure secure handling of credit card transactions.

Cardholder Data (CD)

Name, card number/account number, expiration date, CVV2, CVC2, CID. In certain circumstances a portion of the card may be visible (final 4 or first 6 numbers). Includes both credit and debit cards.

Cardholder Data Environment (CDE)

Any system, process, person, contractor, consultant, or device involved in submitting or completing credit card transactions. Any server, database, application, or network that stores or transmits card holder data.

Point-of-sale devices (P2PE)

Point-to-Point-Encrypted devices that are hardware solutions that provide PCI grade encryption. Many options are available from USB add-on hardware, to stand alone devices that connect to ethernet ports or cellular service providers.

Merchant ID (MID)

The ID number that is provided by the bank or financial institution to the University.

Card Present Transaction

Card swipe/EMV chip read equipment at the time of transaction in the presence of the customer.

Card Not Present Transaction

Cardholder data entered by SPU staff based on information given over the phone, web, paper forms, or other means.

Self Service Transaction

Transactions initiated and performed by the cardholder in which no SPU personnel or equipment are involved in directly handling or transferring cardholder data e.g. web based via payment gateway.

SAQ

A "Self Assessment Questionnaire" (SAQ) includes a series of questions for each applicable PCI Data Security Standard requirement. There are different questionnaires available to meet different merchant environments.

Related Policies and Procedures

  • No labels