PCI Compliance Policy

Policy Statement & Purpose

Table of Contents

This policy addresses the people, processes and controls required to protect Cardholder Data (CHD) received, processed, transmitted, stored by, or stored on behalf of, Seattle Pacific University.


Entities Affected by this Policy

All University Faculty and Staff.


Overview

The PCI Security Standards Council is is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. They publish a set of standards for merchants to use to ensure secure handling of payment card transactions. The current standard is PCI DSS v4.0 published in March 2022. 

All card processing activities and related technologies must comply fully with the Payment Card Industry Data Security Standard (PCI DSS).


SPU Merchant Requirements

SPU schools and departments (SPU merchants) who accept payment via credit or debit cards, must:

  1. Use existing "Payment Gateway Service Providers" such as Nelnet/Commerce Manager and Blackbaud Merchant Services, where possible.

  2. Use "self-service" (user initiated and completed) processes whenever possible to reduce the direct involvement of University employees in performing payment card transactions.

  3. When card-present or card-not-present transactions are required, implement an approved Point-to-Point-Encrypted (P2PE) hardware solution (e.g., using a Square device).

    1. SPU provided laptops, desktop computers, mobile devices, and SPU network resources (wired, wireless, internet connection) can not be used to submit credit card transactions without an attached P2PE device.

    2. Devices personally-owned by a SPU staff member facilitating the transaction (laptops, desktop computers, mobile devices, tablets, smartphones, etc..) must not be used to submit credit card transactions.

  4. Eliminate payment card data from paper forms and processes.

  5. Not collect or store cardholder data in any system, database, document, worksheet, email, electronic or paper format ("data-at-rest"). This includes any computing device, file server, mobile device, thumb-drive, external storage device, etc.

  6. Not transmit cardholder data in email, SMS/text, FAX, instant messaging/chat, Telnt/FTP, SSH or any other electronic messaging or transmission system (whether encrypted or non-encrypted), except via approved P2PE mechanisms.

  7. Ensure all access to the cardholder data environment requires authorized credentials, unique and secure passwords, and proper login/logout procedures.  Group, shared, or generic usernames and passwords are prohibited. Default passwords for any and all transaction services and resources must be disabled and never used.

  8. Complete a PCI DSS self-assessment questionnaire to ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS) each year.

Please reach out to Finance before contracting with any Payment Gateway Service Provider or P2PE.


PCI DSS Self Assessment Questionnaires

Annually, SPU merchants must complete a PCI DSS self-assessment questionnaire to ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS).

SPU merchants shall be responsible for costs associated with PCI DSS compliance as well as any fines or other fees associated with their non-compliance.

All SPU merchant locations are required to validate PCI-DSS compliance at least annually by completing a PCI DSS self-assessment questionnaire (SAQ) in a timely manner. A questionnaire must be completed for each merchant account, and a new questionnaire must be filled out whenever any of the following have occurred:

  • payment processing system changes

  • a year has elapsed since your last SAQ

  • upon Finance request

The SAQ should be completed throughPCI Compliance Manager(provides step-by-step walkthrough of the questionnaire) or by downloading and filling out the relevant SAQ form.

There are 8 types of SAQ. Finance can help determine which type is required for your merchant location environment:

SAQ

Description

SAQ

Description

A

Card-not-present merchants (e-commerce or mail/telephone order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers

A-EP

​Merchants accepting only e-commerce transactions that have partially outsourced the e-commerce payment channel to compliant third parties; merchant’s website does not receive account data, but controls how customers, or their account data, are re-directed to the third-party.

B

Merchants using stand-alone, dial-out terminals

B-IP

Merchants using stand-alone PTS-approved payment terminals with an IP connection to the payment processor

C

Merchants with payment application systems connected to the Internet, no electronic cardholder data storage

C-VT

Merchants with web-based virtual payment terminals provided and hosted by a PCI DSS compliant third-party service provider

P2PE

All payment processing is via a validated PCI-listed P2PE solution

D

Merchants with electronic storage of cardholder data; all merchants not included in the descriptions for above SAQ types

D-SP

All service providers defined by a payment brand as SAQ-eligible


Definition of Terms

Term

Definition

Term

Definition

Payment Card Industry - Data Security Standard (PCI DSS)

The PCI Security Standards Council publishes a set of standards for merchants to use to ensure secure handling of credit card transactions.

Cardholder Data (CD)

Name, card number/account number, expiration date, CVV2, CVC2, CID. In certain circumstances a portion of the card may be visible (final 4 or first 6 numbers). Includes both credit and debit cards.

Cardholder Data Environment (CDE)

Any system, process, person, contractor, consultant, or device involved in submitting or completing credit card transactions. Any server, database, application, or network that stores or transmits card holder data.

Point-of-sale devices (P2PE)

Point-to-Point-Encrypted devices that are hardware solutions that provide PCI grade encryption. Many options are available from USB add-on hardware, to stand alone devices that connect to ethernet ports or cellular service providers.

Merchant ID (MID)

The ID number that is provided by the bank or financial institution to the University.

Card-Present Transaction

Card swipe/EMV chip read equipment at the time of transaction in the presence of the customer.

Card-Not-Present Transaction

Cardholder data entered by SPU staff based on information given over the phone, web, paper forms, or other means.

Self-Service Transaction

Transactions initiated and performed by the cardholder in which no SPU personnel or equipment are involved in directly handling or transferring cardholder data e.g. web based via payment gateway.

SAQ

A "Self-Assessment Questionnaire" (SAQ) includes a series of questions for each applicable PCI Data Security Standard requirement. There are different questionnaires available to meet different merchant environments.

 

Policy Version: 1.01

Responsible Office: Finance

Responsible Executive: VP Business & Finance

Effective Date: 03/31/2024

Next Review Date: 03/31/2027

Policy Version: 1.01

Responsible Office: Finance

Responsible Executive: VP Business & Finance

Effective Date: 03/31/2024

Next Review Date: 03/31/2027