Payment Card Industry Data Security Standard (PCI DSS)

Policy Information

Policy Title	Payment Card Industry Data Security Standard (PCI DSS)
Responsible Office	Risk Management and Administrative Compliance
Policy Type	Risk and Compliance
Policy Number	308
Last Revision Date	7/21/2023

Purpose

The purpose of this policy is to define the guidelines for accepting and processing credit card payments and storing cardholder information to comply with the Payment Card Industry Data Security Standards. Failure to protect this information may result in financial loss for customers, suspension of credit card processing privileges, fines, and damage to the reputation of the unit and the university.

Policy Statement

Binghamton University is committed to compliance with the Payment Card Industry Data Security Standards (PCI DSS) to protect payment card data regardless of where that data is processed or stored. All members of the university community must adhere to these standards to protect our customers and maintain the ability to process payments using payment cards.

The university prohibits the retention of complete payment card primary account numbers (PAN) or sensitive authentication data in any university system, database, network, computer, tablet, cell phone, or paper file. Storing truncated numbers, in approved formats (first six digits or last four digits) is permissible.
The PCI DSS requirements do not supersede local, state, and federal laws or regulations.

Background

The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements for credit card account data security, developed by the credit card industry in response to an increase in identity theft and credit card fraud. As a merchant who handles credit card data, Binghamton University is obliged to safeguard that information and adhere to the standards established by the Payment Card Industry Council including setting up and maintaining controls for handling credit card data, computer and internet security and completing an annual self-assessment questionnaire.

Without adherence to the PCI DSS, the university would be placed in a position of financial liability and reputational risk. Merchant account holders who fail to comply are subject to:

• Fines imposed by the payment card industry.
• Additional monetary costs associated with remediation, assessment, forensic analysis, or legal fees.
• Suspension of the merchant account.

The university must comply with the PCI DSS in order to accept card payments and avoid penalties. This policy and additional supporting policies and procedures:

• Provide the requirements for processing, transmission, storage, and disposal of cardholder data transactions
• Reduce the institutional risk associated with the administration of payment cards
• Promote proper internal control
• Promote compliance with the PCI DSS

Applicability

This policy applies to all University employees, affiliated organizations, contractors, consultants or agents who, in the course of doing business on behalf of the University, accept, process, transmit, or otherwise handle cardholder information in physical or electronic format. 

This policy applies to University departments and administrative areas which accept payment cards regardless of whether revenue is deposited in a University, Binghamton University Foundation, University Auxiliary Services, or Research Foundation (RF) financial account. 

Definitions

Cardholder Data (CHD)
Cardholder data consists of the full primary account number (PAN), expiration date, cardholder name, and/or service code, or any other cardholder identifying information.

Disposal
CHD must be disposed of in a certain manner that renders all data unrecoverable. This includes paper documents and any electronic media including computers, hard drives, magnetic tapes, and USB storage devices in accordance with the Record Retention Guidelines. The approved PCI DSS disposal methods include cross-cut shredding, incineration, and approved shredding and disposal service.

Cardholder Information Security Program (CISP)
The Visa Cardholder Information Security Program (CISP) is designed to ensure that all merchants that store, process, or transmit Visa cardholder data, protect it properly.

Merchant Account
An account established for a unit by a bank to credit sale amounts and debit processing fees.

Merchant
Any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.

Payment Card Industry Data Security Standard
Standard developed by the PCI Security Standards Council (PCI SSC) which provides an actionable framework for developing a robust payment card data security process -including prevention, detection and appropriate reaction to security incidents.

Payment Card Industry Security Standards Council (PCI SSC)
The PCI SSC is a group formed in 2006 by the major credit card brands (VISA, MasterCard, Discover, JCB and American Express) to establish security standards for the industry. https://www.pcisecuritystandards.org/

Self-Assessment Questionnaire
The Self-Assessment Questionnaire (SAQ) is a validation tool primarily used merchants to demonstrate compliance to the PC DSS. 

Sensitive Authentication Data
Additional elements of payment card information required to be protected but never stored. These include magnetic stripe (i.e., track) data, CAV2, CVC2, CID, or CVV2 data, and PIN or PIN block.

• CAV2, CVC2, CID, or CVV2 data. The three- or four-digit value printed on or to the right of the signature panel or on the face of a payment card used to verify card-not-present transactions.
• Magnetic Stripe (i.e., track) data.  Data encoded in the magnetic stripe or equivalent data on a chip used for authorization during a card-present transaction. Entities may not retain full magnetic-stripe data after transaction authorization.
• PIN or PIN block. Personal identification number entered by the cardholder during a card-present transaction, or encrypted PIN block present within the transaction message.

Service Code
Three-digit or four-digit value in the magnetic-stripe that follows the expiration date of the payment card on the track data. It is used for various things such as defining service attributes, differentiating between international and national interchange, or identifying usage restrictions.

Authority and Responsibility
Binghamton University (including the Foundation and Research Foundation) is responsible for securely processing credit card payments for students, staff and all other customers and for coordinating and overseeing policies and procedures regarding payment processing. Information Technology Services (ITS) is responsible for the operation of the university's data networks including all merchant services systems.  

All Members of the University Community

• Safeguard cardholder data.
• Report occurrences of possible incidents and data breaches to your supervisor or the UB Information Security Officer.
• Review and comply with the following university policies:
  
  • Binghamton University Computer and Network Policy (Acceptable Use)
  • University Information Security Program and Policy

PCI Compliance Officer

• Monitor the university’s compliance with PCI DSS requirements.
• Support PCI DSS compliance efforts.
• Develop and maintain mandatory annual training sessions.
• Review the required annual SAQ self-assessment.
• Maintain an inventory of all departments and offices that process payment card transactions using an approved merchant account or other compliant methods.
• Provide and monitor annual training that meets the PCI DSS requirements.
• Coordinate completion of the annual self-assessment documents (SAQs).
• Collect departmental PCI procedures as part of the annual SAQs.
  Evaluate compliance with PCI as part of scheduled cash handling reviews; this is a shared responsibility with Financial Management.

Information Technology Services (ITS)

• Maintain security standards required by PCI DSS.
• Keep current with PCI DSS regulations and make changes to systems and processes, as appropriate.
• Consult on technical PCI DSS issues.

Financial Management

• Keep current with PCI DSS regulations and make changes to processes, as appropriate.
• Maintain the inventory of all State devices (i.e., analog, cellular, Bluefin), merchant ids, and terminal ids along with activation status.
• Evaluate compliance with PCI as part of scheduled cash handling reviews; this is a shared responsibility with Policy, Compliance and Internal Control.

Department and Unit Heads (who accept payment card payments other than through approved online methods)

• Review and comply with the following university policies:
  • Credit/Debit Card Merchant Requirements
  • Cash Receipt Guidelines, if applicable
  • Change Fund Petty Cash Guidelines, if applicable
• Complete the required annual PCI self-assessment (SAQ).
• Complete the annual PCI training through Financial Management.
• Require appropriate staff to complete the annual PCI training through Financial Management.
• Maintain departmental Standard Operating Procedures (SPO) for PCI compliance and verify staff has an understanding of the procedures and their responsibilities.

Payment Card Handlers and Processors

• Follow the established cash receipts procedures for the appropriate funding source.
• Follow the Payment Card Processing Options and use PCI Compliant Devices for all card transactions.
• Complete the Payment Card Authorization Form when appropriate.
• Complete the annual PCI training through Financial Management.
• Review and comply with the following university policies:
  • Credit/Debit Card Merchant Requirements
  • Cash Receipt Guidelines, if applicable
  • Change Fund Petty Cash Guidelines, if applicable

Third Party Payment Card Processors

• Provide confirmation of compliance.

Financial Implications

The merchant account department shall bear the responsibility for and costs associated with ensuring compliance with this policy and the PCI DSS requirements (such as secure cabinets, locks, training, documentation etc.) as well as any fines imposed by the payment card industry for non-compliance and any additional monetary costs associated with remediation, assessment, forensic analysis or legal fees.

Compliance Certification Process

Staff responsible for processing, storing or transmitting credit card data must complete annual PCI-DSS on-line compliance training and attest to sign a PCI confidentiality statement upon completion of the on- line training, which can be found at: binghamton.edu/offices/human-resources/employees/policies/confiden.html.  

The form can be found at: binghamton.edu/offices/human-resources/forms/pdf/hr-masters/responsible-use-agreement-form.pdf 

Outside Entities Doing Business on Campus

Generally speaking, outside entities are permitted to accept credit card payments on campus provided they attest to their own compliance with the PCI DSS. Such an entity should be able to provide proof of PCI DSS compliance such as a PCI Report on Compliance (RoC), Attestation of Compliance (AoC), Self-Assessment Questionnaire (SAQ), etc. These organizations are encouraged to utilize their own network connection, such as wireless cellular. However, use of the BU public Wi-Fi is permissible since information security policies state that Binghamton University is not responsible for data loss on the network due to the inherent risk associated with open public networks. There are entities on campus that are separate legal entities, but are not "Outside Entities," and are exceptions to this section:

• The Binghamton University Foundation
• The Research Foundation at Binghamton University
• The Student Association

These three entities must refrain from transmitting CHD on any portion of the university network and must comply with all other sections of this campus policy.

Guidelines and Procedures

In order to accept credit card and debit card transactions on behalf of Binghamton University, including web-based transactions and those processed via third party vendors, authorization must be obtained in advance from the Business Office and the PCI Officer. Only the Business Office may issue merchant accounts.  To become a campus merchant, please visit  binghamton.edu/offices/accounting/merchant-request.html and submit the New Merchant Request E-form.  Additionally, to ensure that all transactions are handled according to this Policy, sale of goods and services to entities outside the university must be reviewed and approved by the Business Office.

To process card payments, departments must either obtain a physical point of sale swipe terminal or utilize the campus web payment system.  Departments wishing to use an Agency account provided by the Foundation must follow the procedures of the Binghamton University Foundation's Accounting Office, and must comply with this policy.  Use of any other alternative methods may be approved by the Business Office and PCI Compliance Officer on a case by case, interim exception basis only. Any alternative interim method approved must implement one of the two accepted means for payment noted above within 6 months or service will be discontinued.  All transactions that Binghamton University processes must meet the standards outlined in the Policy.

• In conjunction with the Binghamton University Information Security Program (Campus Policy #300), no person nor entity may transmit cardholder data (CHD) across any portion of the campus information technology infrastructure. The only exception is for campus merchants that have received prior approval to operate using the server known as the "PCI Subnet." Those merchants are strongly encouraged to reduce PCI scope by switching to point to point encryption (P2PE) and/or a vendor hosted solution as soon as possible.
• All merchants must strive to limit PCI scope by staying within the requirements of SAQ A (e-commerce only), SAQ B (in person payments are processed on stand-alone terminals), or SAQ P2PE-HW.  Operating on one or more of these three SAQs will ensure that the merchant is PCI compliant. Merchants who operate under SAQs A-EP, B-IP, and/or C-VT will find it challenging and costly to pursue compliance, may still not achieve it, and may have the cost of obtaining compliance charged to their accounts.  
• All in-person credit card payments must have the actual card present.
• All electronic credit/debit card processing will be handled via the campus web payment system and in no case will any cardholder data be stored on any office computer, laptop, spreadsheet, portable media (such as CDs and USB drives), or on local or network shared drives.
• Cardholder data will never be accessed to provide lists and will be retained within the governing provision under card issuer, state and/or federal requirements. Cardholder data should only be retained as long as there is a business need (such as for reconciliation purposes) and may not exceed a one-year maximum.
  Cardholder data will not be accepted via e-mail, campus interoffice mail, or messaging systems (such as text, chat, or instant messaging) and the related transaction will not be processed. The corrective action is to reject the message by notifying the submitter that the information cannot be accepted in this manner, and then deleting the e-mail, text, or other medium from your inbox and trash bin.
• Phone payments carry increased banking fees due to the increased risk of not being able to verify the signature, etc. Therefore, phone payments are discouraged and efforts should be made to utilize swipe transactions or the campus web payment processing system instead.
• Computer terminals and paper storage areas must be locked when left unattended.
• Physical cardholder data must be locked in a secure area and access will be limited to individuals that require business use of the data.
• Only essential information should be stored. Under no circumstances should the Service Code (also known as the CVC, Security Digits, V Code, or CID), users PIN or the full data from a card's magnetic stripe be stored in any system being utilized by the university.
• Credit card information should be destroyed by cross-cut shredding and/or disposed of within the rules of the university immediately after the retention time frame (one year or less) has expired.
• Credit card receipts may only show the first six and last four digits of the credit card number.
• All credit card processing equipment to be discarded must be properly disposed of. POS terminals should be returned to the Business Office and computer terminals should be turned over to ITS.
• It is the merchant account department's responsibility to maintain a list of all active employees that have credit card responsibilities. Background checks on staff handling credit card data is required.
• Staff with access to the cardholder data environment must complete annual PCI training regardless of whether or not the staff person physically processes credit card payments and/or physically touches stored data. All supervisors of staff in the cardholder data environment must also be trained.
• Each individual with access to the cardholder data environment must maintain a unique ID and password for computer access, and must not be shared under any circumstance. In addition, all vendor supplied default passwords must be changed before moving into production.
• Third party vendors must be contractually obligated to comply with the PCI DSS. PCI DSS liability limiting language must exist in all third-party contracts and each third-party vendor must provide proof of compliance on an annual basis.  All new and proposed contracts with a payment processing component must be reviewed by the PCI Compliance Officer.
• Each merchant department is required to create and maintain a written PCI DSS compliance policy that is specific to that department. University policy may be used as a guide. The policy must include a department incident response plan. The first step of that plan is to contact the PCI Incident Response Team.
• Departments must report security incidents to the PCI Incident Response Team (Chief Information Security Officer (CISO), Director of Risk Management, and the PCI Compliance Officer) which will work in conjunction with the department to investigate and handle potential compromises in accordance with information Security's Incident Response Policy. The PCI Incident Response Team will notify campus offices directly affected by the incident.
• All departments must comply with the Payment Card Industry Data Security Standard including the annual completion of the Self-Assessment Questionnaire (SAQ).
• The PCI Compliance Officer is responsible for submitting the annual Attestation of Compliance with the University’s acquiring bank.
• Wireless payment card transaction processing must be approved by the PCI Compliance Officer and the Chief Information Security Officer prior to establishing the operation. POS terminals must be locked when not in use. The use of Wi-Fi is prohibited at all times, regardless of location, unless a PCI Council validated P2PE solution is in use. Any other Wireless devices must use a cellular connection. The department merchant account will be revoked if unapproved Wi-Fi is used. The only exception to the Wi-fi rule is for outside entities.

Resources

• Campus Merchant information
• PCI Security Standards Council