Polices and Procedures

Board By Law:   
Policy Number:  3.7001
Subject Area:  Business Services and Finances 
Approved Date:  12/18/2017

Oversight

The Payment Card Industry Data Security Standards, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council. The Payment Card Industry Security Standards Council is responsible for managing the security standards, while compliance with the Payment Card Industry set of standards is enforced by the founding members of the Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.

Definitions

Merchant Account is a relationship set up by Business Office personnel between Kaskaskia College and a bank in order to accept credit card transactions.

 Cardholder Data indicates the full magnetic stripe or the PAN plus any of the following:

  • Cardholder name
  • Expiration date
  • Card Verification Value (CVV) also known as CVM

PAN is the Primary Account Number is the payment card number (credit or debit) that identifies the issuer and the particular cardholder account.  It is also called Account Number.

Responsibility

The Payment Card Industry Compliance Officer is responsible for the coordination of and oversight for this policy as well as maintaining documentation to support compliance.  Responsibilities also include identification of risks, approval of changes in service providers and payment processing equipment/software, and approval/training of groups with access to cardholder data.

 

The Information Technology Department is responsible for developing and implementing processes and procedures to support network architecture, software design, and identifying risks and vulnerabilities.  Information Technology is also responsible for regularly monitoring the effectiveness of those processes and procedures.

All departments that collect, maintain, or have access to credit card information must comply with this Payment Card Industry policy.These currently include:

  • The Business Office accepts and opens mail that may contain credit card information and processes refunds in the Centerstage software
  • The Accounts Receivable/Cashiers who accepts and processes credit cards for payment of student accounts and for other customers
  • The Bookstore accepts and processes credit cards for the payment of books, supplies and other products as well as accepting and processing credit cards for ticketed events through CenterStage software
  • The Cafeteria accepts and processes credit cards as payment for food items
  • The Administrative Assistant to the Vice President of Administrative Services accepts or coordinates information on behalf of the College Foundation
  • Other groups using the mobile point of sale system kept by the Information Technology for the acceptance of credit cards at fundraising or other special events.  Use of this mobile system must be approved (in writing) by the Payment Card Industry Compliance Officer and the machine must be operated by an employee who has received Payment Card Industry Compliance training from one of the above listed groups.

 No employee or any other person outside of the groups listed above may accept, store, or use cardholder data on behalf of the College or under the guise of College business without prior approval by the Payment Card Industry Compliance Officer. 

If a student or customer attempts to provide credit card information to an employee not authorized in the above categories, then employees should direct them to a cashier for immediate assistance.This rule applies but is not limited to education centers, community education, Foundation, and club transactions.  Under no circumstances should the employee accept the credit card information for any type of transaction.

No forms developed or used by the College shall provide the opportunity to supply credit card information.  Instead, they should direct customers to a cashier or online payment (if possible).  Any links placed on the College website that involve the acceptance of credit cards by the College or any other business must be approved by the Payment Card Industry Compliance Officer.

Goals:

The College prohibits the storing of any credit card information in an electronic format on any computer, server or database including Excel spreadsheets.  It further prohibits the emailing of credit card information.  The following list communicates the full scope of the compliance requirements but based on the College policy that prohibits storing of credit card information electronically and utilizing third party vendors for web based credit card processing, some listed requirements may not be relevant.

Goals and PCI DSS Requirements

Build and Maintain a Secure Network

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  • Use and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes

Maintain an Information Security Policy        

  • Maintain a policy that addresses information security for employees and contractors

Procedures

The College requires compliance with Payment Card Industry standards. To achieve compliance, departments accepting credit cards to process payments on behalf of the College must meet the following requirements.

General Requirements

Management and employees must be familiar with and adhere to the  Payment Card Industry Data Security Standards requirements of the Payment Card Industry Security Standards Council.

All employees involved in processing credit card payments must sign a statement that they have read, understood, and agree to adhere to the Information Security policies of the College and this policy.

Credit card merchant accounts must be approved by the Business Office.

Any proposal for a new process (electronic or paper) related to the storage, transmission or processing of cardholder data must be brought to the attention of and be approved by the Payment Card Industry Compliance Officer.

All departments must establish a refund policy addressing credit or debit card transactions.The refund policy must be disclosed to customers, via signs in the physical location or in a relevant place on the website. 

The Dean of Information Technology and the Vice President of Administrative Services must approve all equipment and technologies used to process or access credit card information including remote access technologies, removable media, wireless technologies, laptops, software and other system requirements.  Relocation of this equipment and these technologies must also be approved by the Dean of Information Technology. 

Job descriptions for employees with access to cardholder data must be reflective of this access and must include data security requirements associated with access.

All new employees who will have duties handling cardholder data must undergo a background check prior to being hired. 

New employees handling cardholder data must undergo Payment Card Industry training upon hire.

Existing employees handling cardholder data must undergo Payment Card Industry training annually.

Access to the cardholder data environment must be restricted to only those employees with a need to access and physical controls must be in place to protect the cardholder data environment.Employees may not share cardholder data with other employees unless deemed necessary by a supervisor.

Storage and Disposal

Cardholder data must not be entered/stored on College network servers, workstations, laptops, spreadsheets or removable storage devices.

Cardholder data must not be transmitted via email.

The College discourages sending or receiving cardholder data through the mail.

Web payments must be processed using a Payment Card Industry compliant service provider approved by the Vice President of Administrative Services.  Credit card numbers must not be entered into a web page of a server hosted on the College network.

Although electronic storage of credit card data is prohibited by this policy, the College will perform a periodic scan to insure that the policy has not been violated.

Neither the full contents of any track for the magnetic strip nor the three-digit card validation code may be stored in a database, log file, or point of sale product.

If cardholder data must be written down in the event of power failure or other equipment failure, this information should be securely disposed of when no longer needed for reconciliation, business or legal purposes. In no instance shall this exceed seven days and should be limited whenever possible to only three business days. Secured destruction must occur via shredding either in house using a crosscut shredder or with a third-party provider with certificate of disposal.

Any cardholder data kept in a physical format, under circumstances referenced above, must be physically secured at all times.  All credit card processing equipment must be physically secured as well. 

All credit card processing machines must be programmed to print out only the last four digits of a credit card number and should be regularly inspected for skimming devices or other unusual alterations.

Third-Party Vendor (Processors, Software Providers, Payment Gateways, or Other Service Providers)

The Vice President of Administrative Services must approve each merchant bank or processing contract of any third-party vendor that is engaged in, or propose to engage in, the processing or storage of transaction data on behalf of the College regardless of the manner or duration of such activities.

Third-party vendors must adhere to all rules and regulations governing cardholder information security.

The College must contractually require that all third parties involved in credit card transactions meet all Payment Card Industry security standards, and that they provide proof of compliance and efforts at maintaining ongoing compliance.

Self-Assessment

The Payment Card Industry Self-Assessment Questionnaire must be completed by the merchant account owner annually and anytime a credit card related system or process changes. This assessment is the responsibility of Information Technology staff in coordination with the relevant department.

Training

Annual training programs must be offered to train employees on Payment Card Industry Data Security Standards and the importance of compliance.

Reporting a Suspected Breach

In the event of a suspected breach of security, including the suspicion that credit card information has been exposed, stolen, or misused, immediately notify Information Technology staff (618-545-3098) and the Payment Card Industry Compliance Officer.

Payment Card Industry Compliance Officer:  Senior Accountant

(618) 545-3232

Approval History:   Replaces Payment Card Industry Data Security Standards BF-6 approved December 18, 2017