PCI Compliance Procedures
- Smithwick, Jen
- Justin Freeman
PCI DSS stands for the Payment Card Industry Data Security Standards. These were written by the PCI Security Standards Council to set standards for protecting cardholder data.
PCI DSS is divided into 6 areas with 12 requirements.
Areas | Requirements | Responsible Party |
|---|---|---|
Build and maintain a secure network and systems | Install and maintain a firewall configuration to protect cardholder data. | N/A - SPU does not allow unencrypted cardholder data to traverse the SPU network. |
Do not use vendor-supplied defaults for system passwords and other security parameters. | SPU merchant
| |
Protect cardholder data | Protect stored cardholder data. | SPU merchant |
Encrypt transmission of cardholder data across open, public networks. | SPU merchant via using existing Payment Gateway Service Providers or P2PE hardware solutions. | |
Maintain a vulnerability management program | Protect all systems against malware and regularly update anti-virus software or programs. | CIS |
Develop and maintain secure systems and applications. | CIS | |
Implement strong access control measures | Restrict access to cardholder data by business need-to-know. | SPU merchant |
Identify and authenticate access to system components. | CIS / SPU merchant | |
Restrict physical access to cardholder data. | SPU merchant | |
Regularly monitor and test networks | Track and monitor all access to network resources and cardholder data. | SPU merchant / CIS |
Regularly test security systems and processes. | CIS | |
Maintain an information security policy | Maintain a policy that addresses information security for all personnel. | CIS |
Key Roles and Responsibilities in PCI Compliance
Everyone involved in processing payment card transactions plays a critical role in keeping the customer’s credit or debit card information secure.
Card handlers
Card handlers are individuals who handle card transactions, including payments and refunds.
If you are involved in handling transactions, you may also need to view information that customers provide. For example, a customer may provide payment information over the phone. Or, you may receive paper forms with payment information, such as donation request forms that were returned via mail.
Managers
It is the responsibility of the managers to ensure that card payments are processed only on approved devices such as those which use point-to-point encryption (P2PE).
Managers must review reports on what the merchant location processed each day (high volume of transactions) or weekly (low volume of transactions) to check for accidental errors and any fraud.
Some merchant locations are small and don’t process many transactions, but it is still important to ensure that someone oversees the work of the individuals who handle payment transactions to ensure segregation of duties.
A manager is required to approve refunds.
CIS
CIS staff are to be involved in the implementation, maintenance, and administration of any systems that involve payment card transactions.
Finance
The Treasury team within Finance manages the merchant card program across campus. From setting up new merchant accounts (MIDs) to assisting with reconciliation, they are the main point of contact on campus for all things payment card related, including:
Campus-wide PCI compliance strategies and policies
Reconciliation / Cash Receipt Tickets (CRTs)
Setting up new Merchant Accounts (MIDs)
Partnering with Arrow Payments on compliant payment solutions
What payment solutions does SPU use?
The PCI Security Standards Council determined that P2PE is the most secure way to process payment cards. It encrypts the card information at the point of the device (swipe, type, or chip), so no unencrypted cardholder data travels across the SPU network.
Utilizing P2PE reduces the PCI compliance costs and the effort required for your department.
SPU merchants must use P2PE devices to process payment data or Payment Gateway Service Providers.
To inquire about P2PE or Payment Gateway Service Provider solutions, contact Finance.
Card Present Transactions
Card swipe or chip-insert at point of sale using a P2PE device. This must occur in view of the customer. CVVs must not be copied or stored.
When using a P2PE device, it is important to check it on a daily basis to ensure no one has tampered with it. When devices are not in use, they must be stored in a secure, locked location.
Never process payment cards by entering the card numbers directly on your computer’s keyboard. Only the P2PE devices are allowed to type in card numbers.
Card-Not-Present Transactions
SPU prohibits the acceptance of credit card information by fax, email or instant messenger. As a best practice, the University strongly discourages the acceptance of credit card information via mail or phone.
If legitimate business reasons exist to accept credit card information via mail or phone, first notify Finance who will work with you to ensure that your procedures are compliant with PCI DSS requirements.
If your department accepts paper forms with credit card information via mail, take precautions to protect the information.
Store information in a secure location inaccessible to unauthorized personnel, such as a safe in a locked room.
Clearly mark documents as containing sensitive information, for example, in a folder labeled “Confidential.”
After you have processed the payments, immediately shred the paper records using a cross-cut shredder. Do not tear paper by hand or use a straight-cut shredder.
The use of a virtual terminal with a PCI validated P2PE device is the only permitted method of accepting card payments over the phone.
When accepting payments over the phone, it is critical that you do not enter in credit card numbers into your computer using your computer keyboard.
Never write down cardholder information for processing at a later time.
Self-service payments
Online payments, or e-commerce payments, are a very popular way for customers to make donations, purchase tickets and other items.
Do not use self-service systems to submit cardholder data on behalf of the customer.
If a customer calls and wants help with an online payment page, you cannot go onto that page and complete the transaction for them over the phone. You must use a PCI validated P2PE device to take payments over the phone on campus.
Never recommend a customer uses public/shared systems for financial transactions i.e. do not direct customers to an SPU computer lab, classroom, or kiosk computer to enter their card information. Provide the URL where they can select a device of their choice to complete the transaction.
Internal Software
Many software systems are built to accept payments online. If you are a user of the software system and can access the customer database, be sure to immediately alert your supervisor if you are able to see cardholder information.
Password Management
PCI Security Standards Council requires you to update your software password at least every 90 days. Use complex passwords and never reuse passwords. Also, never use default passwords that sometimes come with software systems initially. Remember to keep your account log-in information secure, and don’t share it with others. If you provide someone else with access to your log-in information and that person violates the PCI DSS requirements or even causes a security breach, you may be held responsible.
P2PE devices
Device Inventory
Managers are responsible for keeping an accurate inventory of all devices that accept credit card payments in your department. Include each device’s make and model, location (for example, the address of the site or facility where the device is located), and the serial number or other method of unique identification. Be sure to update this list each time you dispose of a device or get a new one.
Device Disposal
Be careful when disposing of old equipment.
Return old payment card terminals to Finance for proper disposal.
“Wipe” or remove all information from hard drives before replacing, selling, or discarding workstations.