Payment Card Industry Data Security Standard (PCI DSS)

Policy Information
Policy TitlePayment Card Industry Data Security Standard (PCI DSS)
Responsible OfficeSenior Associate Vice President for Budget and Business Affairs
Policy TypeBusiness Affairs
Policy Number218
Last Revision Date7/1/2019

Background Information

The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements for credit card account data security, developed by the credit card industry in response to an increase in identity theft and credit card fraud. As a merchant who handles credit card data, Binghamton University is obliged to safeguard that information and adhere to the standards established by the Payment Card Industry Council including setting up and maintaining controls for handling credit card data, computer and internet security and completing an annual self-assessment questionnaire.

Without adherence to the PCI DSS, the university would be in a position of great reputational risk and financial liability. Merchant account holders who fail to comply are subject to:

  1. Fines imposed by the payment card industry.
  2. Additional monetary costs associated with remediation, assessment, forensic analysis, or legal fees.
  3. Suspension of the merchant account.

Purpose

The purpose of this policy is to define the guidelines for accepting and processing credit card payments and storing cardholder information to comply with the Payment Card Industry Data Security Standards.

Definitions

Cardholder Data (CHD)

Cardholder data consists of the full primary account number (PAN), expiration date, cardholder name, and/or service code, or any other cardholder identifying information.

Cardholder Information Security Program (CISP)

The Visa Cardholder Information Security Program (CISP) is designed to ensure that all merchants that store, process, or transmit Visa cardholder data, protect it properly.

Data Security Standard

Standard developed by the PCI Security Standards Council (PCI SSC) which provides an actionable framework   for developing a robust payment card data security process -including prevention, detection and appropriate reaction to security incidents.

Merchant Account

An account established for a unit by a bank to credit sale amounts and debit processing fees.

Merchant

Any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.

Payment Card Industry Security Standards Council (PCI SSC)

The PCI SSC is a group formed in 2006 by the credit card brands (VISA, MasterCard, Discover, JCB and American Express) to establish data security standards for the industry. https://www.pcisecuritystandards.org/ 

Self-Assessment

The Self-Assessment Questionnaire (SAQ) is a validation tool primarily used by merchants to demonstrate compliance to the PCI DSS. The SAQ here, https://www.pcisecuritystandards.org/tech/supporting_documents.htm,  is based on the current version of the Payment Card Industry Data Security Standard (PCI DSS).

Sensitive Authentication Data

Security-related information (including but not limited to card validation codes/values, full track data (from the magnetic stripe or equivalent on a chip), PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions.

Service Code

Three-digit or four-digit value in the magnetic-stripe that follows the expiration date of the payment card on the track data. It is used for various things such as defining service attributes, differentiating between international and national interchange, or identifying usage restrictions.

Authority and Responsibility

Binghamton University (including the Foundation and Research Foundation) is responsible for securely processing credit card payments for students, staff and all other customers and for coordinating and overseeing policies and procedures regarding payment processing. Information Technology Services (ITS) is responsible for the operation of the university’s data networks including all merchant services systems.

Procedures

In order to accept credit card and debit card transactions on behalf of Binghamton University, including web-based transactions and those processed via third party vendors, authorization must be obtained in advance from the Business Office. Only the Business Office may issue merchant accounts and the Accounting Manager is the specific point of contact. Additionally, to ensure that all transactions are handled according to this Policy, sale of goods and services to entities outside the university must be reviewed and approved by the Business Office.

Departments who need to accept credit/debit cards must either obtain a physical point of sale swipe terminal to process transactions or utilize the campus web payment  system. Departments wishing to use an Agency account provided by the Foundation must follow the procedures of the Binghamton University Foundation's Accounting Office. However, any department using a BUF Agency account must still comply with this policy.  Use of any other alternative methods may be approved by the Business Office on a case by case, interim exception basis only. Any alternative interim method approved must implement one of the two accepted means for payment noted above within 6 months or service will be discontinued. All transactions that Binghamton University processes must meet the standards outlined in the Policy.

  • In conjunction with the Binghamton University Information Security Program (Campus Policy #300), no person nor entity may transmit cardholder data (CHD) across any portion of the campus information technology infrastructure. The only exception is for campus merchants that have received prior approval to operate using the server known as the "PCI Subnet." Those merchants are strongly encouraged to reduce PCI scope by switching to point to point encryption (P2PE) and/or a vendor hosted solution as soon as possible.
  • All merchants must strive to limit PCI scope by staying within the requirements of SAQ A (e-Commerce only), SAQ B (in person payments are processed on stand-alone terminals), or SAQ P2PE-HW. Operating on one or more of these three SAQs will ensure that the merchant is PCI compliant. Merchants who operate under SAQs A-EP, B-IP, and/or C-VT will find it very difficult and costly to pursue compliance, may still not achieve it, and may have the cost of obtaining compliance charged to their accounts. SAQ C and SAQ D merchants have always been found non-compliant by the university's QSA and there is no reason that such findings will not continue in the foreseeable future.
  • All in-person credit card payments must have the actual card present.
  • All electronic credit/debit card processing will be handled via the campus web payment system and in no case will any cardholder data be stored on any office computer, laptop, spreadsheet, portable media (such as CDs and USB drives), or on local or network shared drives.
  • Cardholder data will never be accessed to provide lists and will be retained within the governing provision under card issuer, state and/or federal requirements. Cardholder data should only be retained as long as there is a business need (such as for reconciliation purposes) and may not exceed a one-year maximum. 
  • Cardholder data will not be accepted via email, campus interoffice mail, or messaging systems (such as text, chat, or instant messaging) and the related transaction will not be processed. The corrective action is to reject the message by notifying the submitter that the information cannot be accepted in this manner, and then deleting the email from your inbox and trash bin.
  • Phone payments carry increased banking fees due to the increased risk of not being able to verify the signature, etc. Therefore, phone payments are discouraged and efforts should be made to utilize swipe transactions or the campus web payment processing system instead.
  • Computer terminals and paper storage areas must be locked when left unattended.
  • Physical cardholder data must be locked in a secure area and access will be limited to individuals that require business use of the data.
  • Only essential information should be stored. Under no circumstances should the Service Code (also known as the CVC, Security Digits, V Code, or CID), users PIN or the full data from a card’s magnetic stripe be stored in any system being utilized by the university.
  • Credit card information should be destroyed by cross-cut shredding and/or disposed of within the rules of the university immediately after the retention time frame (one year or less) has expired.
  • Credit card receipts may only show the first six and last four digits of the credit card number.
  • All credit card processing equipment to be discarded must be properly disposed of. POS terminals should be returned to the PCI Compliance Officer and computer terminals should be turned over to ITS. 
  • It is the merchant account department’s responsibility to maintain a list of all active employees that have credit card responsibilities. Background checks on staff handling credit card data is required.
  • Staff with access to the cardholder data environment must complete annual PCI training regardless of whether or not the staff person physically processes credit card payments and/or physically touches stored data. All supervisors of staff in the cardholder data environment must also be trained.
  • Each individual must maintain a unique ID and password for computer access. Under no circumstances can an ID or password be shared with another individual. In addition, all vendor supplied default passwords must be changed before moving into production.
  • Third party vendors must be contractually obligated to comply with the PCI DSS. PCI DSS liability limiting language must exist in all third party contracts and each third party vendor must provide proof of compliance annually. All new contracts with a payment processing component must be reviewed by the PCI Compliance Officer. 
  • Each merchant department is required to create and maintain a written PCI DSS compliance policy that is specific to that specific department. The university policy may be used as a guide. The policy must include a department incident response plan.  The first step of that plan is to contact the PCI Incident Response Team. 
  • Departments must report security incidents to the PCI Incident Response Team (Chief Information Security Officer (CISO), Director of Risk Management, and the PCI Compliance Officer) which will work in conjunction with the department to investigate and handle potential compromises in accordance with information Security's Incident Response Policy. The PCI Incident Response Team will notify all campus offices affected by the incident.  
  • All departments must comply with the Payment Card Industry Data Security Standard including the annual completion of the Self-Assessment Questionnaire (SAQ).
  • The  PCI Compliance Officer under the direction of the Senior Vice President for Budget & Business Affairs is responsible for submitting the annual Attestation of Compliance with our acquiring bank. 
  • Wireless payment card transaction processing must be approved by the PCI Compliance Officer and the Chief Information Security Officer prior to establishing the operation. POS terminals must be locked when not in use. The use of Wi-Fi is prohibited at all times, regardless of location, unless a PCI council validated P2PE solution is in use. Any other Wireless devices must use a cellular connection. The department merchant account will be revoked if Wi-Fi is used. The only exception to the Wi-fi rule is for outside entities (see below). 

Financial Implications

The merchant account department shall bear the responsibility for and costs associated with ensuring compliance with this policy and the PCI DSS requirements (such as secure cabinets, locks, training, documentation etc.) as well as any fines imposed by the payment card industry for non-compliance and any additional monetary costs associated with remediation, assessment, forensic analysis or legal fees.

Compliance Certification Process

Staff responsible for processing, storing or transmitting credit card data must complete annual PCI-DSS on-line compliance training and attest to sign a PCI confidentiality statement upon completion of the on- line training, which can be found at http://www.binghamton.edu/human-resources/policies/confidentiality.html.

Outside Entities Doing Business on Campus

Generally speaking, outside entities are permitted to accept credit card payments on campus provided they attest to their own compliance with the PCI DSS. Such an entity should be able to provide proof of PCI DSS compliance such as a RoC, AoC, SAQ, etc. These organizations are encouraged to utilize their own network connection, such as wireless cellular. However, use of the BU public WiFi is permissible since information security policies state that Binghamton University is not responsible for data loss on the network due to the inherent risk associated with open public networks. There are entities on campus that are separate legal entities, but are not "Outside Entities."

  • The Binghamton Foundation
  • The Research Foundation at Binghamton University
  • The Student Association

These three entities are exceptions to this section. They must refrain from transmitting CHD on any portion of the university network and must comply with all other sections of this campus policy.