PCI DSS stands for the Payment Card Industry Data Security Standards. These were written by the PCI Security Standards Council to set standards for protecting cardholder data.
PCI DSS is divided into 6 areas with 12 requirements.
Areas | Requirements | Responsible Party |
---|---|---|
Build and maintain a secure network and systems | Install and maintain a firewall configuration to protect cardholder data. | CIS |
Do not use vendor-supplied defaults for system passwords and other security parameters. | SPU merchant
| |
Protect cardholder data | Protect stored cardholder data. | SPU merchant |
Encrypt transmission of cardholder data across open, public networks. | SPU merchant via using existing Payment Gateway Service Providers or P2PE hardware solutions. | |
Maintain a vulnerability management program | Protect all systems against malware and regularly update anti-virus software or programs. | CIS |
Develop and maintain secure systems and applications. | CIS | |
Implement strong access control measures | Restrict access to cardholder data by business need to know. | SPU merchant |
Identify and authenticate access to system components. | CIS / SPU merchant | |
Restrict physical access to cardholder data. | SPU merchant | |
Regularly monitor and test networks | Track and monitor all access to network resources and cardholder data. | CIS / SPU merchant |
Regularly test security systems and processes. | CIS | |
Maintain an information security policy | Maintain a policy that addresses information security for all personnel. | CIS |
Key Roles and Responsibilities in PCI Compliance
Everyone involved in processing payment card transactions plays a critical role in keeping the customer’s credit or debit card information secure.
Card handlers
Card handlers are individuals who handle card transactions, including payments and refunds.
If you are involved in handling transactions, you may also need to view information that customers provide. For example, a customer may provide payment information over the phone. Or, you may receive paper forms with payment information, such as donation request forms that were returned via mail.
Managers
It is the responsibility of the managers to ensure that card payments are processed only on approved devices such as those which use point-to-point encryption (P2PE).
Managers must review reports on what the merchant location processed each day (high volume of transactions) or weekly (low volume of transactions) to check for accidental errors and any fraud.
Some merchant locations are small and don’t process many transactions, but it is still important to ensure that someone oversees the work of the individuals who handle payment transactions to ensure segregation of duties.
A manager is required to approve refunds.
CIS
CIS staff are involved in the design, development, maintenance, and administration of any systems that involve payment card transactions.
Finance
The Treasury team within Finance manages the merchant card program across campus. From setting up new merchant accounts (MIDs) to assisting with reconciliation, they are the main point of contact on campus for all things payment card related, including:
Campus-wide PCI compliance strategies and policies
Reconciliation / Cash Receipt Tickets (CRTs)
Setting up new Merchant Accounts (MIDs)
Partnering with Arrow Payments on compliant payment solutions
What payment solutions does SPU use?
The PCI Security Standards Council determined that P2PE is the most secure way to process payment cards. It encrypts the card information at the point of the device (swipe, type, or chip), so no unencrypted cardholder data travels across the SPU network.
Utilizing P2PE reduces the PCI compliance costs and the effort required for your department.
SPU merchants must use P2PE devices to process payment data or Payment Gateway Service Providers.
To inquire about P2PE or Payment Gateway Service Provider solutions, contact Finance.
In person payments
Card Present Transactions
Card swipe or chip-insert at point of sale using a P2PE device. This must occur in view of the customer. CVVs must not be copied or stored.
When using a P2PE device, it is important to check it on a daily basis to ensure no one has tampered with it. When devices are not in use, they must be stored in a secure, locked location.
Never process payment cards by entering the card numbers directly on your computer’s keyboard. Only the use of approved PCI validated point-to-point encrypted (P2PE) devices are allowed to type in card numbers. The only exception to this rule is for approved users of Converge.
Card Not Present Transactions
SPU prohibits the acceptance of credit card information by fax, email or instant messenger. As a best practice, the University strongly discourages the acceptance of credit card information via mail or phone.
If legitimate business reasons exist to accept credit card information via mail or phone, first notify Finance who will work with you to ensure that your procedures are compliant with PCI DSS requirements.
If your department accepts paper forms with credit card information via mail, take precautions to protect the information.
Store information in a secure location inaccessible to unauthorized personnel, such as a safe in a locked room.
Clearly mark documents as containing sensitive information, for example, in a folder labeled “Confidential.”
After you have processed the payments, immediately shred the paper records using a cross-cut shredder. Do not tear paper by hand or use a straight-cut shredder.
The use of a virtual terminal with a PCI validated P2PE device is the only permitted method of accepting card payments over the phone. The only The only exception to this rule is for approved users of Converge.
When accepting payments over the phone, it is critical that you do not enter in credit card numbers into your computer using your computer keyboard.
Never write down card holder information for processing at a later time.
Self-service payments
Online payments, or e-commerce payments, are a very popular way for customers to make donations, purchase tickets and other items.
Do not use self-service systems to submit cardholder data on behalf of the customer.
If a customer calls and wants help with an online payment page, you cannot go onto that page and complete the transaction for them over the phone. You must use a PCI validated P2PE device to take payments over the phone on campus (the only exception to this rule is for approved users of Converge).
Never recommend a customer uses public/shared systems for financial transactions i.e. do not direct customers to an SPU computer lab, classroom, or kiosk computer to enter their card information. Provide the URL where they can select a device of their choice to complete the transaction.
Internal Software
Many software systems are built to accept payments online. If you are a user of the software system and can access the customer database, be sure to immediately alert your supervisor if you are able to see cardholder information.
Password Management
PCI Security Standards Council requires you to update your software password at least every 90 days. Use complex passwords and never reuse passwords. Also, never use default passwords that sometimes come with software systems initially. Remember to keep your account log-in information secure, and don’t share it with others. If you provide someone else with access to your log-in information and that person violates the PCI DSS requirements or even causes a security breach, you may be held responsible.
P2PE devices
Device Inventory
Managers are responsible for keeping an accurate inventory of all devices that accept credit card payments in your department. Include each device’s make and model, location (for example, the address of the site or facility where the device is located), and the serial number or other method of unique identification. Be sure to update this list each time you dispose of a device or get a new one.
Device Disposal
Be careful when disposing of old equipment.
Return old payment card terminals to Finance for proper disposal.
“Wipe” or remove all information from hard drives before replacing, selling, or discarding workstations.
FAQs
What if cardholder data is sent to you unsolicited via email? Immediately notify the customer that the University does not accept cardholder data via email and provide alternative methods of completing the transaction. If email is sent back to the customer any cardholder data must be deleted from the return message. Delete the email (permanent delete from email store, deleted items, and recover deleted items after the customer has been notified.
What cardholder data needs to be protected?
Account data or cardholder data that you need to protect includes—but is not limited to—the following:
card number, known as the Primary Account Number (PAN)
cardholder name
expiration date
customer’s payment address.
If your payment system involves swiping cards, you must also protect the data in the magnetic stripe and chip of credit and debit cards. Depending on your system, you may also receive card verification security codes (including CVV2, CID, CAV2, and CVC2). Those are the three- or four-digit codes that appear on the front or back of a card. These also must be treated as sensitive data. Cardholder data also includes the PINs or PIN blocks for debit card transactions.