University Policy 120

Payment Card Processing Policy

Initially Approved: October 12, 2015
Policy Topic: Business Administration & Auxiliary Services
Administering Office: Controller

I. POLICY STATEMENT

The Payment Card Industry Data Security Standard (PCI DSS) is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures related to processing payment card transactions. This comprehensive standard is intended to help organizations proactively protect customer account data. Agencies found to be out of compliance that don’t take corrective action within a reasonable time may be required to stop accepting payment cards and may be liable for fines.

This policy defines the requirements and responsibilities for processing payment cards at Western Carolina University that allow the university to remain PCI-compliant.

II. SCOPE AND APPLICATION OF THE POLICY

This policy applies to all university departments; vendors who provide services to the university; and/or contractors that provide services to the university and who act as a merchant by accepting, maintaining, transmitting or storing payment cardholder data in any way.

III. DEFINITIONS



  1. “Payment Card” shall refer to any of a range of different cards that can be used by a customer to make a payment, but does not include the University’s declining balance cards.
  2. “Merchant” shall refer to university departments, and vendors or contractors that provide services to the university who accept, maintain, transmit, or store payment cardholder data in any way.
  3. “Computer” shall refer to desktop personal computers; laptop personal computers; smart phones; and/or tablet computing devices.
  4. “Point of Sale” (POS) Terminal shall refer to a device that is used to interface with a payment card to transmit cardholder data.
  5. “Card Processing Equipment” refers to any device or equipment that collects, stores or transmits cardholder data from a payment card. Card Processing Equipment may include computers (as defined above) or POS terminals (as defined above).
  6. “Cardholder Data Environment” (CDE) shall refer to all technology that store, process or transmit cardholder data (i.e., servers, network equipment, applications, etc.)
  7. “Cardholder Data” shall refer to the primary account number (PAN) of a payment card. If cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the CDE, they are also considered cardholder data.


IV. REQUIREMENTS FOR CARD PROCESSING EQUIPMENT



  1. Card Processing Equipment may only be used in the locations and for the purpose for which it has been approved. Contact the Controller’s Office for approval of new locations or usage of Card Processing Equipment.
  2. Payment cards may only be processed using approved equipment and applications. Information regarding requirements for approved equipment and applications shall be maintained by the Controller’s Office in a separate procedure.
  3. Computers used as Card Processing Equipment may not be used for other purposes unless approved by the Controller and the CIO or their designees.


V. REQUIREMENTS FOR PROCESSING PAYMENT CARD DATA

The Controller’s Office, in association with the IT Division, shall maintain procedures for the handling of Payment Card Data.

VI. RESPONSIBILITIES

A. Merchants that handle payment cards must:

  1. Create and maintain a list of all personnel approved to use Card Processing Equipment;
  2. Create and maintain a list of all Card Processing Equipment and provide that list to the WCU Controller’s Office. The list must contain the location, make, model, serial number or WCU tag number of each piece of Card Processing Equipment;
  3. Ensure that only approved personnel use Card Processing Equipment;
  4. Ensure that all staff that handle payment cards must take the PCI training provided through the Controller’s Office;
  5. Ensure that all staff must be made aware of this policy; related policies, procedures, and resources; and University Policy 117 – Information Security Policy (University Policy 117);
  6. Inspect all Card Processing Equipment at least monthly to look for evidence of tampering, especially looking for foreign devices being attached to the equipment. If such evidence is discovered, it must first be reported to the Western Carolina University Police Department and then to the Controller’s Office; and
  7. Ensure all users of Card Processing Equipment requiring authentication have a unique identifier with which to authenticate.

B. Operators of Card Processing Equipment must:

  1. Take the PCI training provided by the Controller’s Office;
  2. Be aware of and abide by this policy; related policies, procedures and resources; and University Policy 117; and
  3. Report suspicious activities, evidence of tampering or security incidents first to the Western Carolina University Police Department and then the department manager or the Controller’s Office if a manager is not available.

C. The IT Division shall:

  1. Maintain the security, including but not limited to firewalls and network routing configurations, according to the current PCI DSS standards to protect the CDE;
  2. Change vendor default passwords or other default settings for systems or network components that are part of the CDE;
  3. Maintain logs for critical components of the CDE according to the current PCI DSS standards; and
  4. Maintain network maps that document the flow of data in and out of the CDE.

D. The Controller’s Office shall:

  1. Maintain a formal payment card security awareness program for university employees who handle payment cards;
  2. Approve or deny new locations of Card Processing Equipment;
  3. Maintain a list of service providers that are involved in processing payment cards for each merchant number owned by the university and a written agreement from each service provider acknowledging what their responsibility is for PCI compliance.


VII. POLICY REVIEW

This policy and related procedures, and resources shall be reviewed and revised annually as a part of the required annual PCI Self-Assessment Questionnaire process.

VIII. RELATED POLICIES, PROCEDURES AND RESOURCES

Payment Card Industry Data Security Standard (current version)
University Policy 117 Information Security
NC Office of the State Controller Compliance with PCI Data Security Standards Policy
Controller’s Office Procedure - Requirements for Processing Payment Card Data

Office of Web Services