PCI DSS Credit Card Handling

Statement and Purpose

Table of Contents

The offices of Finance and Computer & Information Systems are responsible for SPU's compliance with the Payment Card Industry - Data Security Standards (PCI-DSS). The University has an obligation to protect card holder data that is used for the purchase of goods or services, or for donations to the University. These credit card handling policies and procedures are intended to provide direction and training to campus merchant departments to protect against exposure and theft of account and personal cardholder information that has been provided to SPU and ensure compliance with industry regulations.

PCI DSS is a set of comprehensive requirements for enhancing credit card data security. The standards were developed by the PCI Security Standards Council. To protect against loss and fraud and to limit University liability, the University must comply with these requirements for securely processing, transmitting, and disposing of cardholder data. 

Entities Affected By This Policy

All departments and individuals who handle credit card transactions on behalf of the university.

Reason for This Policy

To establish a baseline understanding of PCI DSS credit card handling procedures for SPU merchant departments.

  • Educate campus merchants/departments to securely handle credit card transactions.
  • Reduce the University's PCI "scope" for the flow of credit card data and transactions.
  • Reduce financial and reputation risk while still providing the convenience of credit card payments for campus customers.
  • Comply with legal agreements with our banks and financial institutions.
  • Implement hardware and software solutions to ensure secure transaction processing.

Version: 1.1

Effective Date: November 16, 2016
Last Updated:  
January 23, 2017 (minor edits)

Responsible Offices:
Office of Financial Affairs
Computer and Information Systems

Responsible Executives:
AVP for Financial Affairs
AVP for Technology Services/CIO

PCI Security Standards Council

The PCI Security Standards Council is is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. They publish a set of standards for merchants to use to ensure secure handling of credit card transactions. The current standard is PCI DSS v3.2.1 published in May 2018. 

SPU PCI DSS Requirements

The University is obligated to handle credit card transactions securely.  The responsibility for PCI DSS compliance is shared among all departments and individuals that handle cardholder data on behalf of the University and we should view compliance as a part of normal business practice.  

Requirements for SPU PCI DSS compliance:

  1. Narrow the PCI "scope" for protecting the credit card data flows during the transaction and processing of payments.  There are four strategies used to narrow the scope:
    1. Use existing "Payment Gateway Service Providers" such as Nelnet/Commerce Manager and Blackbaud Merchant Services.
    2. Use "self service" (user initiated and completed) processes whenever possible to reduce the direct involvement of University employees in performing credit card transactions.
    3. When card-present or card-not-present transactions are required – implement an approved Point-to-Point-Encrypted (P2PE) hardware solution.
    4. Eliminate payment card data from paper forms and processes.
  2. Do not collect or store cardholder data in any system, database, document, worksheet, email, electronic or paper format ("data-at-rest").  This includes any computing device, file server, mobile device, thumb-drive, external storage device, etc...
  3. Do not transmit cardholder data in email, SMS/text, FAX, instant messaging/chat, Telnt/FTP, SSH or any other electronic messaging or transmission system (whether encrypted or non-encrypted), except via approved P2PE mechanisms ("data-in-transit").
  4. All employees, contractors, consultants, or individuals working with or processing credit card data on behalf of the University must be explicitly authorized and properly trained to do so.
  5. All access to the cardholder data environment requires authorized credentials, unique and secure passwords, and proper login/logout procedures.  Group, shared, or generic usernames and passwords are prohibited. Default passwords for any and all transaction services and resources must be disabled and never used.
  6. Complete a PCI DSS "self assessment" for campus merchant/department handling of credit card transactions.

SPU Policies and Procedures for Credit Card Handling

SPU Merchant/Departmental credit card transaction procedures:

  1. SPU provided laptops, desktop computers, mobile devices, and SPU network resources (wired, wireless, internet connection) can NOT be used to submit credit card transactions without an attached P2PE device.
  2. Devices personally-owned by the SPU staff member facilitating the transaction (laptops, desktop computers, mobile devices, tablets, smartphones, etc..) must NOT be used to submit credit card transactions.
  3. P2PE devices are required for:
    1. Card-Present procedures: card-swipe or chip-insert at point of sale (P2PE device) with process in view of the customer. CVV must not be copied or stored.
    2. Card-Not-present procedures (phone, postal mail, etc): card-entry at point of sale (P2PE device) on dedicated touch-pad.
  4. Never use existing “self-service” systems to submit credit card data on behalf of the customer (you can use “Converge” during this transition to P2PE devices, but don not use the self-service systems).
  5. If cardholder data is sent to you unsolicited via email -- immediately notify the customer that the University does not accept credit card data via email and provide alternative methods of completing the transaction. If email is sent back to the customer any credit card data must be deleted from the return message. Delete the email (permanent delete from email store, deleted items, and recover deleted items (DELETE/SHIFT) after the customer has been notified. 
  6. DO NOT direct customers to an SPU computer lab, classroom, or kiosk computer to enter their credit card information. Provide the URL where they can select a device of their choice to complete the transaction. We never recommend using public/shared systems for financial transactions, for SPU transactions or otherwise.
  7. All departments will complete appropriate reconciliation and submittal of transaction charges on a timely basis (generally daily). Transactions are not to be held and batched at a later time.
  8. Procedures for disputes, chargebacks, and credits – handled individually by the Finance Office

Definition of Terms

PCI DSSPayment Card Industry - Data Security Standard (PCI DSS) The PCI Security Standards Council publishes a set of standards for merchants to use to ensure secure handling of credit card transactions. The current standard is PCI DSS v3.2.1
Cardholder Data (CD)

Name, card number/account number, expiration date, CVV2, CVC2, CID. In certain circumstances a portion of the card may be visible (final 4 or first 6 numbers). Includes both credit and debit cards.

Cardholder Data Environment (CDE)

Any system, process, person, contractor, consultant, or device involved in submitting or completing credit card transactions. Any server, database, application, or network that stores or transmits card holder data.

In-Scope vs. Out-of-scope

"In-scope" = any CDE that is under the control of the university and directly involved in the processing or submission of card holder data.

"Out-of-scope" = transaction elements outside the control of the university (compliance rests with the outside resource or agent).

Point-of-sale devices

P2PE -- Point-to-Point-Encrypted devices that are hardware solutions that provide PCI grade encryption. Many options are available from USB add-on hardware, to stand alone devices that connect to ethernet ports or cellular service providers.

Merchant ID (MID)The ID number that is provided by the bank or financial institution to the University.
Card Swipe/EMV ReaderIn a card-present transaction the card reader gathers cardholder data when the magnetic stripe is swiped. EMV stands for Europay, MasterCard, and Visa, the three companies that originally created the standard and refers to the security "chip" that is embedded in most credit cards.
Types of transactions

There are many type of transaction performed on campus:

  1. Card Present (CP) – card swipe/EMV chip read equipment at the time of transaction in the presence of the customer.
  2. Card Not Present (CNP) – phone, web-based, paper forms, or other means.
  3. Self-service (web based) via payment gateway - those transactions initiated and performed by the cardholder in which no SPU personnel or equipment are involved in directly handling or transferring cardholder data.
QSAA "Qualified Security Assessor" (QSA) is a person who has been certified by the PCI Security Standards Council to audit merchants for Payment Card Industry Data Security Standard (PCI DSS) compliance.
SAQA "Self Assessment Questionnaire" (SAQ) includes a series of questions for each applicable PCI Data Security Standard requirement. There are different questionnaires available to meet different merchant environments.

Related Policies and Procedures