Oversight
The
Payment Card Industry Data Security Standards, a set of comprehensive
requirements for enhancing payment account data security, was developed by the
founding payment brands of the PCI Security Standards Council. The Payment Card
Industry Security Standards Council is responsible for managing the security
standards, while compliance with the Payment Card Industry set of standards is
enforced by the founding members of the Council: American Express, Discover
Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.
Definitions
Merchant
Account is a
relationship set up by Business Office personnel between Kaskaskia College and
a bank in order to accept credit card transactions.
Cardholder Data indicates the full magnetic stripe or
the PAN plus any of the following:
- Cardholder name
- Expiration date
- Card Verification Value (CVV) also known
as CVM
PAN is the Primary Account Number is the
payment card number (credit or debit) that identifies the issuer and the
particular cardholder account. It is
also called Account Number.
Responsibility
The Payment
Card Industry Compliance Officer is responsible for the coordination of and
oversight for this policy as well as maintaining documentation to support
compliance. Responsibilities also
include identification of risks, approval of changes in service providers and
payment processing equipment/software, and approval/training of groups with
access to cardholder data.
The
Information Technology Department is responsible for developing and
implementing processes and procedures to support network architecture, software
design, and identifying risks and vulnerabilities. Information Technology is also responsible
for regularly monitoring the effectiveness of those processes and procedures.
All
departments that collect, maintain, or have access to credit card information
must comply with this Payment Card Industry policy.These currently include:
- The
Business Office accepts and opens mail that may contain credit card information
and processes refunds in the Centerstage software
- The
Accounts Receivable/Cashiers who accepts and processes credit cards for payment
of student accounts and for other customers
- The
Bookstore accepts and processes credit cards for the payment of books, supplies
and other products as well as accepting and processing credit cards for
ticketed events through CenterStage software
- The
Cafeteria accepts and processes credit cards as payment for food items
- The
Administrative Assistant to the Vice President of Administrative Services
accepts or coordinates information on behalf of the College Foundation
- Other
groups using the mobile point of sale system kept by the Information Technology
for the acceptance of credit cards at fundraising or other special events. Use of this mobile system must be approved
(in writing) by the Payment Card Industry Compliance Officer and the machine
must be operated by an employee who has received Payment Card Industry
Compliance training from one of the above listed groups.
No employee
or any other person outside of the groups listed above may accept, store, or
use cardholder data on behalf of the College or under the guise of College
business without prior approval by the Payment Card Industry Compliance
Officer.
If a student
or customer attempts to provide credit card information to an employee not
authorized in the above categories, then employees should direct them to a
cashier for immediate assistance.This
rule applies but is not limited to education centers, community education,
Foundation, and club transactions. Under
no circumstances
should the employee accept the credit card information for any type of
transaction.
No forms
developed or used by the College shall provide the opportunity to supply credit
card information. Instead, they should
direct customers to a cashier or online payment (if possible). Any links placed on the College website that
involve the acceptance of credit cards by the College or any other business
must be approved by the Payment Card Industry Compliance Officer.
Goals:
The College prohibits the storing of any credit card
information in an electronic format on any computer, server or database
including Excel spreadsheets. It further
prohibits the emailing of credit card information.
The following list communicates the full scope of the compliance
requirements but based on the College policy that prohibits storing of credit
card information electronically and utilizing third party vendors for web based
credit card processing, some listed requirements may not be relevant.
Goals and PCI DSS Requirements
Build and Maintain a
Secure Network
- Install
and maintain a firewall configuration to protect cardholder data
- Do
not use vendor-supplied defaults for system passwords and other security
parameters
Protect Cardholder Data
- Protect
stored cardholder data
- Encrypt
transmission of cardholder data across open, public networks
Maintain a Vulnerability
Management Program
- Use
and regularly update anti-virus software or programs
- Develop
and maintain secure systems and applications
Implement Strong Access
Control Measures
- Restrict
access to cardholder data by business need-to-know
- Assign
a unique ID to each person with computer access
- Restrict
physical access to cardholder data
Regularly Monitor and Test
Networks
- Track
and monitor all access to network resources and cardholder data
- Regularly
test security systems and processes
Maintain an Information
Security Policy
- Maintain
a policy that addresses information security for employees and contractors
Procedures
The College requires compliance with Payment Card Industry standards.
To achieve compliance, departments accepting credit cards to process payments
on behalf of the College must meet the following requirements.
General
Requirements
Management and employees must be familiar with and adhere
to the Payment Card
Industry Data Security Standards
requirements of the Payment
Card Industry Security Standards Council.
All employees involved in processing credit card payments
must sign a statement that they have read, understood, and agree to adhere to
the Information Security policies of the College and this policy.
Credit card merchant accounts must be approved by the
Business Office.
Any proposal for a new process (electronic or paper)
related to the storage, transmission or processing of cardholder data must be
brought to the attention of and be approved by the Payment Card Industry Compliance
Officer.
All departments must establish a refund policy addressing
credit or debit card transactions.The
refund policy must be disclosed to customers, via signs in the physical
location or in a relevant place on the website.
The Dean of Information Technology and the Vice President
of Administrative Services must approve all equipment and technologies used to
process or access credit card information including remote access technologies,
removable media, wireless technologies, laptops, software and other system
requirements. Relocation of this
equipment and these technologies must also be approved by the Dean of
Information Technology.
Job descriptions for employees with access to cardholder
data must be reflective of this access and must include data security
requirements associated with access.
All new employees who will have duties handling
cardholder data must undergo a background check prior to being hired.
New employees handling cardholder data must undergo Payment Card Industry training
upon hire.
Existing employees handling cardholder data must undergo Payment Card Industry training
annually.
Access to the cardholder data environment must be
restricted to only those employees with a need to access and physical controls
must be in place to protect the cardholder data environment.Employees may not share cardholder data with
other employees unless deemed necessary by a supervisor.
Storage and Disposal
Cardholder data must not be entered/stored on College
network servers, workstations, laptops, spreadsheets or removable storage
devices.
Cardholder data must not be transmitted via email.
The College discourages sending or receiving cardholder
data through the mail.
Web payments must be processed using a Payment Card Industry compliant
service provider approved by the Vice President of Administrative
Services. Credit card numbers must not
be entered into a web page of a server hosted on the College network.
Although electronic storage of credit card data is
prohibited by this policy, the College will perform a periodic scan to insure
that the policy has not been violated.
Neither the full contents of any track for the magnetic
strip nor the three-digit card validation code may be stored in a database, log
file, or point of sale product.
If cardholder data must be written down in the event of
power failure or other equipment failure, this information should be securely
disposed of when no longer needed for reconciliation, business or legal
purposes. In no instance shall this exceed seven days and should be limited
whenever possible to only three business days. Secured destruction must occur
via shredding either in house using a crosscut shredder or with a third-party
provider with certificate of disposal.
Any cardholder data kept in a physical format, under
circumstances referenced above, must be physically secured at all times. All credit card processing equipment must be
physically secured as well.
All credit card processing machines must be programmed to
print out only the last four digits of a credit card number and should be
regularly inspected for skimming devices or other unusual alterations.
Third-Party Vendor (Processors, Software Providers, Payment
Gateways, or Other Service
Providers)
The Vice President of Administrative Services must
approve each merchant bank or processing contract of any third-party vendor
that is engaged in, or propose to engage in, the processing or storage of
transaction data on behalf of the College regardless of the manner or duration
of such activities.
Third-party vendors must adhere to all rules and
regulations governing cardholder information security.
The College must contractually require that all third
parties involved in credit card transactions meet all Payment Card Industry security standards,
and that they provide proof of compliance and efforts at maintaining ongoing
compliance.
Self-Assessment
The Payment
Card Industry Self-Assessment Questionnaire must be completed by the
merchant account owner annually and anytime a credit card related system or
process changes. This assessment is the responsibility of Information
Technology staff in coordination with the relevant department.
Training
Annual training programs must be offered to train
employees on Payment Card
Industry Data Security Standards and the importance of compliance.
Reporting a Suspected
Breach
In the event
of a suspected breach of security, including the suspicion that credit card
information has been exposed, stolen, or misused, immediately notify
Information Technology staff (618-545-3098) and the Payment Card Industry
Compliance Officer.
Payment
Card Industry Compliance Officer: Senior Accountant
(618)
545-3232
Approval History: Replaces Payment Card Industry Data Security
Standards BF-6 approved December 18, 2017