Payment Card Industry Data Security Standard (PCI DSS)
Responsible Office: Risk Management and Administrative Compliance
Policy Type: Business Affairs
Policy Number: 221
Last Date Revised: 8/28/17
1.0 Background Information
The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements for credit card account data security, developed by the credit card industry in response to an increase in identity theft and credit card fraud. As a merchant who handles credit card data, Binghamton University is obliged to safeguard that information and adhere to the standards established by the Payment Card Industry Council including setting up and maintaining controls for handling credit card data, computer and internet security and completing an annual self-assessment questionnaire.
Without adherence to the PCI DSS, the university would be in a position of great reputational risk and financial liability. Merchant account holders who fail to comply are subject to:
a) Fines imposed by the payment card industry.
b) Additional monetary costs associated with remediation, assessment, forensic analysis, or legal fees.
c) Suspension of the merchant account.
The purpose of this policy is to define the guidelines for accepting and processing credit card payments and storing cardholder information to comply with the Payment Card Industry Data Security Standards.
3.1 Cardholder Data (CHD)
Cardholder data consists of the full primary account number (PAN), expiration date, cardholder name, and/or service code, or any other cardholder identifying information.
3.2 Cardholder Information Security Program (CISP)
The Visa Cardholder Information Security Program (CISP) is designed to ensure that all merchants that store, process, or transmit Visa cardholder data, protect it properly.
3.3. Data Security Standard
Standard developed by the PCI Security Standards Council (PCI SSC) which provides an actionable framework for developing a robust payment card data security process -including prevention, detection and appropriate reaction to security incidents.
3.4 Merchant Account
An account established for a unit by a bank to credit sale amounts and debit processing fees.
Any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.
3.6 Payment Card Industry Security Standards Council (PCI SSC)
The PCI SSC is a group formed in 2006 by the credit card brands (VISA, MasterCard, Discover, JCB and American Express) to establish data security standards for the industry. https://www.pcisecuritystandards.org/
The Self-Assessment Questionnaire (SAQ) is a validation tool primarily used by merchants to demonstrate compliance to the PCI DSS. The SAQ here, https://www.pcisecuritystandards.org/tech/supporting_documents.htm, is based on the current version of the Payment Card Industry Data Security Standard (PCI DSS).
3.8 Sensitive Authentication Data
Security-related information (including but not limited to card validation codes/values, full track data (from the magnetic stripe or equivalent on a chip), PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.
3.9 Service Code
Three-digit or four-digit value in the magnetic-stripe that follows the expiration date of the payment card on the track data. It is used for various things such as defining service attributes, differentiating between international and national interchange, or identifying usage restrictions.
4.0 Authority and Responsibility
Binghamton University (including the Foundation and Research Foundation) is responsible for securely processing credit card payments for students, staff and all other customers and for coordinating and overseeing policies and procedures regarding payment processing. Information Technology Services (ITS) is responsible for the operation of the university’s data networks including all merchant services systems.
In order to accept credit card and debit card transactions on behalf of Binghamton University, including web-based transactions and those processed via third party vendors, authorization must be obtained in advance from the Business Office. Only the Business Office may issue merchant accounts and the Accounting Manager is the specific point of contact. Additionally, to ensure that all transactions are handled according to this Policy, sale of goods and services to entities outside the university must be reviewed and approved by the Business Office.
Departments who need to accept credit/debit cards must either obtain a physical point of sale swipe terminal to process transactions or utilize the campus web payment system. Departments wishing to use an Agency account provided by the Foundation must follow the procedures of the Binghamton University Foundation's Accounting Office. However, any department using a BUF Agency account must still comply with this policy. Use of any other alternative methods may be approved by the Business Office on a case by case, interim exception basis only. Any alternative interim method approved must implement one of the two accepted means for payment noted above within 6 months or service will be discontinued. All transactions that Binghamton University processes must meet the standards outlined in the Policy.
- In conjunction with the Binghamton University Information Security Program (Campus Policy #300), no person nor entity may transmit cardholder data (CHD) across any portion of the campus information technology infrastructure. The only exception is for campus merchants that have received prior approval to operate using the server known as the "PCI Subnet." Those merchants are strongly encouraged to reduce PCI scope by switching to point to point encryption (P2PE) and/or a vendor hosted solution as soon as possible.
- All merchants must strive to limit PCI scope by staying within the requirements of SAQ A (e-Commerce only), SAQ B (in person payments are processed on stand-alone terminals), or SAQ P2PE-HW. Operating on one or more of these three SAQs will ensure that the merchant is PCI compliant. Merchants who operate under SAQs A-EP, B-IP, and/or C-VT will find it very difficult and costly to pursue compliance, may still not achieve it, and may have the cost of obtaining compliance charged to their accounts. SAQ C and SAQ D merchants have always been found non-compliant by the university's QSA and there is no reason that such findings will not continue in the foreseeable future. For guidance on how to comply with this section refer to the flow chart.
All in-person credit card payments must have the actual card present.
All electronic credit/debit card processing will be handled via the campus web payment system and in no case will any cardholder data be stored on any office computer, laptop, spreadsheet, portable media (such as CDs and USB drives), or on local or network shared drives.
Cardholder data will never be accessed to provide lists and will be retained within the governing provision under card issuer, state and/or federal requirements. Cardholder data should only be retained as long as there is a business need (such as for reconciliation purposes) and may not exceed a one-year maximum.
Cardholder data will not be accepted via email, campus interoffice mail, or messaging systems (such as text, chat, or instant messaging) and the related transaction will not be processed. The corrective action is to reject the message by notifying the submitter that the information cannot be accepted in this manner, and then deleting the email from your inbox and trash bin.
Phone payments carry increased banking fees due to the increased risk of not being able to verify the signature, etc. Therefore, phone payments are discouraged and efforts should be made to utilize swipe transactions or the campus web payment processing system instead.
Computer terminals and paper storage areas must be locked when left unattended.
Physical cardholder data must be locked in a secure area and access will be limited to individuals that require business use of the data.
Only essential information should be stored. Under no circumstances should the Service Code (also known as the CVC, Security Digits, V Code, or CID), users PIN or the full data from a card’s magnetic stripe be stored in any system being utilized by the university.
Credit card information should be destroyed by cross-cut shredding and/or disposed of within the rules of the university immediately after the retention time frame (one year or less) has expired.
Credit card receipts may only show the first six and last four digits of the credit card number.
All credit card processing equipment to be discarded must be properly disposed of. POS terminals should be returned to the PCI Compliance Officer and computer terminals should be turned over to ITS.
It is the merchant account department’s responsibility to maintain a list of all active employees that have credit card responsibilities. Background checks on staff handling credit card data is required. The policy can be accessed at https://www.binghamton.edu/operations/policies/personnel-and-payroll/pre-employment-background-checks.html
Staff with access to the cardholder data environment must complete annual PCI training regardless of whether or not the staff person physically processes credit card payments and/or physically touches stored data. All supervisors of staff in the cardholder data environment must also be trained.
Each individual must maintain a unique ID and password for computer access. Under no circumstances can an ID or password be shared with another individual. In addition, all vendor supplied default passwords must be changed before moving into production.
Third party vendors must be contractually obligated to comply with the PCI DSS. PCI DSS liability limiting language must exist in all third party contracts and each third party vendor must provide proof of compliance annually. All new contracts with a payment processing component must be reviewd by the PCI Compliance Officer.
- Each merchant department is required to create and maintain a written PCI DSS compliance policy that is specific to that specific department. The university policy may be used as a guide. The policy must include a department incident response plan. The first step of that plan is to contact the PCI Incident Response Team. Refer to example IRP for guidance.
Departments must report security incidents to the PCI Incident Response Team (Chief Information Security Officer (CISO), Director of Risk Management, and the PCI Compliance Officer) which will work in conjunction with the department to investigate and handle potential compromises in accordance with information Security's Incidient Response Policy. The PCI IRT will notify all campus offices affected by the incident.
All departments must comply with the Payment Card Industry Data Security Standard including the annual completion of the Self-Assessment Questionnaire (SAQ).
The Risk Management and Administrative Compliance [RMAC] office is responsible for submitting the annual Attestation of Compliance with our acquiring bank.
- Wireless payment card transaction processing must be approved by RMAC and ITS prior to establishing the operation. POS terminals must be locked when not in use. The use of WiFi is prohibited at all times, regardless of location, unless a PCI council validated P2PE solution is in use. Any other Wireless devices must use a cellular connection. The department merchant account will be revoked if WiFi is used. The only exception to the Wifi rule is for outside entities. (Section 8.0)
6.0 Financial Implications
The merchant account department shall bear the responsibility for and costs associated with ensuring compliance with this policy and the PCI DSS requirements (such as secure cabinets, locks, training, documentation etc.) as well as any fines imposed by the payment card industry for non-compliance and any additional monetary costs associated with remediation, assessment, forensic analysis or legal fees.
7.0 Compliance Certification Process
Staff responsible for processing, storing or transmitting credit card data must sign a PCI confidentiality statement which can be found in Appendix A as well as at
8.0 Outside Entities Doing Business on Campus
Generally speaking, outside entities are permitted to accept credit card payments on campus provided they attest to their own compliance with the PCI DSS. Such an entity should be able to provide proof of PCI DSS compliance such as a RoC, AoC, SAQ, etc. These organizations are encouraged to utilize their own network connection, such as wireless cellular. However, use of the BU public WiFi is permissible since information security policies state that Binghamton University is not responsible for data loss on the network due to the inherent risk associated with open public networks. There are entities on campus that are separate legal entities, but are not "Outside Entities".
• The Binghamton Foundation
• The Research Foundation at Binghamton University
• The Student Association
These three entities are exceptions to this section. They must refrain from transmitting CHD on any portion of the university network and must comply with all other sections of this campus policy.
Appendix A - Binghamton University Confidentiality / Non-Disclosure Statement
RESPONSIBLE USE/CONFIDENTIALITY AGREEMENT COMPLIANCE FORM
Personnel, student, financial, medical, patient and other sensitive information1 contained within Binghamton University or Binghamton University’s Information Systems and/or external SUNY and State Systems are considered confidential. Access to this confidential information and any other information made confidential by law and Binghamton University policy is limited to those individuals whose position requires use of this information. By signing the statement below, you are acknowledging your acceptance and adherence to the confidentiality requirements imposed by federal and state law and Binghamton University policy.
By virtue of my position at Binghamton University or my position as/through an external party providing services to Binghamton University, I may have access to information which is confidential and is not to be disclosed to any person or entity without appropriate authorization, subpoena, or court order. In order to access confidential information, I agree to adhere to the following itemized guidelines listed below: If I have questions or need guidance, I will consult with my supervisor to determine appropriate action.
1. I understand and acknowledge that improper or inappropriate use of data in the University’s Information Systems is a violation of University procedures and may also constitute a violation of federal and state laws.
2. I will only use confidential information in a manner consistent with my authorized access, and the duties and responsibilities of my position.
3. I will not provide or release confidential information to any individual or entity without proper authorization.
4. I will not access or review records or files for which I do not have a legitimate need to know in order to perform my duties.
5. I will not make copies of any records or data except as required in performance of my duties.
6. I will destroy any confidential information for which I no longer have an official business use in a manner appropriate to the medium and consistent with the applicable New York State, Federal, and University Record Retention policies.
7. I will not share any User ID and Password used to access Binghamton University resources with anyone, unless I have specific authorization to do so from my supervisor, or there is a need for an authorized technician to troubleshoot a system problem with my password. In this latter case, I will change my password when the technician’s task is complete.
8. I will not use the data for personal use or for commercial purposes.
9. I will refer all requests for information for which there is not an established office procedure to the Office of University Counsel.
10. I will refer external requests for University statistical, academic, or administrative data to the Office of Institutional Research and Assessment, University Counsel, Human Resources, Financial Services or those departments that have been authorized to respond to such requests.
11. I agree to report any unauthorized access to confidential data immediately to my supervisor.
12. I understand that violations of this agreement may result in the revocation of my access privileges to University information systems, may result in appropriate administrative action, including, but not limited to, disciplinary action, and may also subject me to prosecution by state or federal authorities.
13. I understand and agree that my obligation to maintain confidentiality will continue even after I leave the employment of Binghamton University.
I certify that I have read this “Access and Compliance Form,” and the attached information pertaining to access to and use of information contained in employee, applicant, student or donor records, that I understand both, and that I agree to comply with the above terms and conditions.
Employee / External Party Signature and Date
Employee / External Party Name (Printed) and Employee Department / External Company Name
I have reviewed this document with the employee and answered all employee questions.
Supervisor or Designated Department Representative Signature and Date
Supervisor or Designee Name (Printed)
1 The disclosure of information from student records is governed by the Federal Family Educational Rights and Privacy Act (FERPA) [20 U.S.C. § 1232g]. Health information is governed by and protected by state and federal statutes including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Public Health Law §18. Financial information is protected by the Gramm-Leach-Bliley Act (GLBA). Social Security Number disclosure is governed by the Federal Privacy Act of 1974 and NY State law, which tracks the Federal Privacy Act and limits the collection and use of social security numbers by colleges/universities. Payment Card Industry (PCI) Data Security Standard, applicable to cardholder information, is defined by the Payment Card Industry Security Standards Council.
Appendix B - Binghamton University Procedure for Credit Card Transactions via POS Terminal
Payer enters BU # into terminal to queue up their account or the account they want to pay on (Student Accounts only).
Cashier verifies that the queued up screen is the correct account for this transaction (Student Accounts only).
Cashier verifies cardholder matches the payer at the counter.
Cashier checks for signature.
Cashier swipes card into data machine.
Data machine prompts for amount.
Cashier enters amount of transaction, presses enter key.
Data machine attempts to contact host for authorization.
Data machine returns a response of authorization, decline or call center. If declined, cashier returns card to payer. If call center, cashier calls the call center at 1-800-228-1122 for an authorization. If authorized by bank, cashier follows instructions given.
Data machine prints our copy of the receipt.
Cashier has payer sign receipt. This receipt is kept in the cashiers’ secure cash drawer until “End of Day Cash Out”.
Cashier hits reprint button for payer copy.
Cashier applies transaction to the account on Banner or other system if applicable.
Cashier saves transaction and prints Banner or other system receipt.
Cashier staples payer copy of the credit card receipt to the Banner/other system receipt and gives to payer.
Appendix C - Binghamton University Procedure for Credit Card Transactions via Fax/Mail
Binghamton University Office receives faxed/mail credit card authorization to pay. The payer will supply credit card information to process the charge including:
A brief statement stating the purpose of the charge and giving Binghamton University authorization to charge the card,
Dollar amount to be charged,
Signature and date, and
Contact phone number(s).
- Cashier enters card number, dollar amount and expiration date into data machine.
- Data machine prompts for “Cardholder present?” Cashier presses key “6” for NO.
- Data machine returns a response of authorized or declined.
- If declined, cashier will notify payer of the decline. Cashier will either re-enter transaction or destroy fax. If cashier can’t contact the payer, the cashier will write “Declined”, the date of the attempted phone contact and their initials on the fax. Fax is then stored securely.
- Completion of authorized transaction.
Cashier prints 1 copy of the transaction from the data machine.
Cashier applies transaction to the student account or other applicable record.
Cashier writes Banner or other receipt number on the top margin of the data machine receipt.
Cashier turns in this receipt at “End of Day Cash Out”.
Cashier prints Banner or other receipt showing application of the transaction.
Cashier staples the fax authorization to the receipt.
The stapled fax/receipt is interfiled numerically with the daily receipts.
The daily receipts are stored securely until removal to long term storage or they are destroyed.
Appendix D - End of Day Cash Out
Cashier places the data machine credit card receipts into item number order. These are now batched.
Cashier runs a detail tape for a total dollar amount of all credit card transactions.
Cashier presses key 9 to close batch total.
Cashier is prompted to enter total amount into data machine.
Cashier enters total into machine and hits enter to send batch to bank.
Data machine will close or reply with “Does not balance”. We will not close out until we balance.
Cashier presses “6” key to not print report.
Data machine prints out batch slip. Batch slip is stapled to the front of the batched credit card slips. These slips are stored in a locked cabinet for no longer than one year and then destroyed.
Cashier prints 2nd copy of the batch total.
Cashier turns in this copy at cash out. This copy is then given to Student Accounts which will be forwarded to the Accounting department.