Policy Portal

Administrative Policy: Operational

Payment Card Industry (PCI) Security

Policy Number: 3349-OP-206
Effective Date: 10/01/2015
Updated: 08/01/2020
Reviewed:
Responsible Department: Accounting and Budget, Information Technology
Approval Authority:
VP for Operations and Finance
Responsible Office:
Operations and Finance

A. Purpose

The purpose of this policy is to ensure that Payment Card activities are consistent, efficient, and secure, protect the Confidentiality, Integrity, and Availability of University Systems and Data, are compliant with the Payment Card Industry Data Security Standard and are appropriately integrated within the University’s Cardholder Data Environment.

B. Scope

This policy applies to all Merchants and those who support Systems within the University’s Cardholder Data Environment. This policy does not apply to end-user use of Payment Cards, including procurement cards, or any other such instance where NEOMED is not acting in a primary or supporting Merchant capacity.

C. Definitions

  1. “Availability” refers to the ensuring of timely and reliable access to and use of Data or Systems. A loss of Availability is the disruption of access to or use of Data or Systems (e.g., hard drive failure, destruction of a System, System unresponsiveness, denial of service attack).
  2. “Card Verification Code”, also known as “Card Verification Value”, refers to the rightmost three-digit value printed in the signature panel area on the back of the Payment Card (labeled as CAV, PAN CVC, CVV, and CSC) or the four-digit number printed on the face of the Payment Card (labeled as CID, CAV2, PAN CVC2, and CVV2).
  3. “Cardholder” refers to an individual to whom a Payment Card is issued to or any individual authorized to use the Payment Card.
  4. “Cardholder Data” refers to the elements of Payment Card information that are required to be protected. At a minimum, Cardholder Data consists of the full Primary Account Number. Cardholder Data may also appear in the form of the full Primary Account Number plus any of the following: Cardholder Name, Expiration Date and/or Service Code.
  5. “Cardholder Data Environment (CDE)” refers to the people, processes and technology, which can include University Systems, that store, process or transmit Cardholder Data or Sensitive Authentication Data at or on behalf of NEOMED.
  6. “Cardholder Name” refers to the name of the Cardholder to whom the Payment Card has been issued.
  7. “Confidentiality” refers to the preservation of authorized restrictions on Data access and disclosure, including means for protecting personal privacy and proprietary Data and Systems. A loss of Confidentiality is the unauthorized disclosure of Data (e.g., compromised by hackers; released or published publicly without authorization).
  8. “Data” refers to any instance of information, regardless of form or storage medium, that is categorized by an organization or by a specific law or regulation.
  9. “Expiration Date” refers to the date on which a card expires and is no longer valid. The expiration date is embossed, encoded or printed on the Payment Card.
  10. “Security Incident”, also referred to as “Incident” or “Information Security Incident”, refers to an adverse event that results in a suspected or known unauthorized disclosure, misuse, alteration, destruction, or other compromise of University Data or Systems.
  11. “Integrity” refers to the guarding against improper Data or System modification or destruction and ensuring authenticity and non-repudiation in the use of Data or Systems. A loss of Integrity is the unauthorized modification or destruction of Data or Systems where such resources can no longer be trusted for use, are not complete, or incorrect.
  12. “Merchant” refers to authorized University employees, contractors or agents who, while doing business on behalf of the University, accept or process Payment Cards for financial transactions.
  13. “Payment Card (P-Card)”, for the purposes of this policy, refers to debit, credit and pre-paid cards. For purposes of this policy, Payment Card specifically refers to any Payment Card that bears the logo of the founding members of Payment Card Industry Security Standards Council.
  14. “Payment Card Industry Data Security Standard (PCI DSS)” refers to the collective of security requirements defined by the Payment Card Industry Security Standards Council and the five major Payment Card brands.
  15. “Personal Identification Number (PIN)” refers to the secret number password known only to the user and a system to authenticate the user to the system.
  16. “Personal Identification Number Block (PIN block)” refers to a block of data used to encapsulate a PIN during processing. The PIN block is composed of the PIN, the PIN length, and may contain subset of the PAN.
  17. “Primary Account Number (PAN)” refers to unique Payment Card number (typically for credit or debit cards and of a length of 14 or 16 digits) that identifies the issuer and the Cardholder account.
  18. “Restricted University Data” refers to University Data that requires the highest level of protection due to legal, regulatory, administrative, contractual, rule, industry standards, or policy requirements.
  19. “Sensitive Authentication Data” refers to security-related information (including but not limited to Card Verification Codes, full Track Data, PINs, and PIN blocks) used to authenticate Cardholders and/or authorize Payment Card transactions. This Data is required to be protected but never stored.
  20. “Service Code” refers to the three-digit or four-digit value in the magnetic-stripe that follows the expiration date of the Payment Card on the Track Data.
  21. “Service Provider”, in respect to this Policy, refers to a business entity that is not a payment brand, but is directly involved in the processing, storage, or transmission of Cardholder Data. Service Providers also includes vendors or companies that provide services that control or could impact the security of Cardholder Data.
  22. “System” refers to an information technology resource that can be classified, may have security controls applied, and are organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of University Data.
  23. “Track Data”, also known as “Magnetic-Stripe Data”, refers to data encoded in the magnetic stripe or chip used for authentication and/or authorization during payment transactions.
  24. “Transient Record”, or “Transitory Record”, refers to a Record which is not of long-term value and is not needed to preserve the actions of the University, but exist for short-term usage and/or convenience (e.g., drafts that are superseded or updated by other records; phone slips or voicemail; and meeting notices).
  25. “University Data” refers to Data that is created, collected, stored and/or managed in association with fulfilling the University’s mission or its required business functions.

D. Policy Statement

  1. University Responsibilities
    1. The Office of Accounting and Budget, in conjunction with the Information Technology Department, will work with Merchants to provide the necessary guidance in the areas of PCI DSS compliance and internal controls.
    2. The Office of Accounting and Budget shall be involved in and approve any decisions to accept Payment Cards at or on behalf of the University.
    3. Transmission of quarterly scan results and the University annual Self-Assessment Questionnaire will be sent and managed by Accounting and Budget and Information Technology personnel.
  2. Opening and Closing a Merchant Account
    1. All prospective Merchants must receive written authorization and approval from the Office of Accounting and Budget before engaging in commercial or other transactional activities on behalf of the University and prior to entering any related contracts or purchasing related equipment. Upon authorization and approval, an assignment of a Merchant identification number (ID) will be assigned to the Merchant.
      1. All technology to be used by Merchants must be approved by the Chief Information Technology Officer (or designee) prior to entering into any contracts or purchases.
    2. Merchants are responsible for all bank fees associated with opening and maintaining a Merchant ID, the cost of any equipment and supplies necessary to process transactions, and for all expenses associated with proving and maintaining compliance.
    3. Bank and Merchant accounts may only be opened and closed by the Office of Accounting and Budget. Any account that has not been opened and approved by the Office of Accounting and Budget must be closed immediately.
  3. Merchant Compliance and Training
    1. To accept Payment Cards at or on behalf of the University, Merchants must:
      1. Comply with the PCI DSS and the University’s Payment Card and Information Security policies;
      2. Complete an annual PCI DSS Self-Assessment Questionnaire (SAQ);
        1. Once completed, the SAQ must be made available as part of an annual review by personnel in the Office of Accounting and Budget and the Information Technology Department.
        2. Merchants must work to resolve any non-compliant findings discovered during the annual review.
      3. Complete annual PCI DSS Awareness training;
      4. Regularly review and update departmental, office or functional guidelines for safeguarding Payment Card information, as appropriate; and
      5. No less than daily, review and document all equipment used in the acceptance of Payment Cards to verify the absence of unauthorized use and tampering.
    2. Merchants who are also supervisors/managers/department leads must also maintain a list of individuals within their area who accept Payment Cards at or on behalf of the University; or has access to Cardholder Data. Such individuals will be required to complete annual PCI DSS awareness training or demonstrate such training was completed.
  4. Accepting Payment Cards
    1. Merchants may accept Payment Card transactions through University-approved Card-not-Present and Card-Present methods and associated Systems, which includes retail (in-person), mail, and over-the-phone methods.
    2. Unapproved methods and Systems must be reviewed by the Office of Accounting and Budget and Information Technology Department to assess risks to the University’s PCI DSS compliance and determine appropriate controls, if possible.
  5. Security of Cardholder Data
    1. Cardholder Data is considered Restricted University Data and the Systems used to facilitate the University’s CDE are considered High Risk Systems, which must be safeguarded.
      1. When processing Payment Card transactions, only the minimum amount of information necessary to verify the identity and legitimacy of the Cardholder should be gathered.
      2. Cardholder Data access is restricted only to those authorized individuals who need such Data to perform their job or contractual duties.
      3. Cardholder Data may only be stored on paper and must always be secured (e.g., locked room or file cabinet) with access limited to only authorized individuals.
      4. Electronic storage of Cardholder Data is prohibited. This includes storage of such Data on University Systems, photocopy, electronic files, or any other electronic Data repository.
      5. Obtaining or transmitting Payment Card information via e-mail or facsimile (fax) is prohibited.
      6. Storage of Sensitive Authentication Data, in any format, is prohibited.
      7. The display of a Cardholder’s PAN must be masked or truncated such that that only the minimum number of digits is displayed as necessary to perform a specific University function (at a maximum, no more than the first six and last four digits of the PAN may be displayed).
    2. Written Cardholder Data is considered a Transitory Record; therefore, written Cardholder Data shall not be retained for any longer than needed for its intended business purpose. Once its use has expired, it must be securely destroyed using one of the University’s approved, secure destruction methods (e.g., cross-cut shredder, secure disposal through University approved vendor).
    3. All electronic equipment used to accept Payment Cards, in any manner, should be electronically wiped before leaving the University through sale, disposal, or other means.
  6. Service Providers
    1. University departments and offices may only use Service Providers that have been approved by the Division of Operations and Finance.
    2. Any contract or agreement with a Service Provider that will enable the Service Provider to have access to Cardholder Data or support the University’s CDE must define the Service Provider’s obligations and responsibilities in remaining compliant with the PCI DSS. These Service Provider obligations and responsibilities include, but is not limited to the following:
      1. Providing evidence of PCI DSS compliance to the University throughout the term of the contract, no less than annually;
      2. Accommodating audit requests from the University, if requested in writing, to assess the appropriateness of the Service Provider’s information security safeguards;
      3. Accepting liability for the security of the Cardholder Data they possess in the use of its services and/or Systems;
      4. Notifying the University of any Incidents or any other potential Cardholder compromises within seventy-two (72) hours of detection; and
      5. If the Service Provider is not the payment processor, the contract language must state that the Service Provider will only use a PCI compliant payment processor throughout the term of the contract.
  7. Incident Response
    1. Merchants and Service Providers that detect a Security Incident involving Cardholder Data and/or the CDE (i.e., theft, damage, fraud, unauthorized access) must report the Incident as soon as possible. Security Incidents will be managed in accordance with the Information Security Incident Response Plan Policy.
  8. Sanctions
    1. Merchants that fail to adhere to the responsibilities outlined in this policy are subject to sanctions, which may include, but not limited to:
      1. Suspension or loss of privileges to accept Payment Cards;
      2. Suspension or loss of access privileges to University Systems and/or the University’s CDE;
      3. Financial penalties and costs; and
      4. Disciplinary action, suspension or termination of employment or contract.
  9. Policy Maintenance and Review
    1. The Office of Accounting and Budget, in coordination with the Information Technology Department, will:
      1. Be responsible for the implementation and coordination of compliance efforts associated with this policy; and
      2. Review this policy and associated procedures with assistance from all relevant University departments and offices; and
      3. Make updates to this policy and associated procedures based on changes to the PCI DSS and NEOMED’s CDE.

CONTACT

Lisa Noland
Administrative Specialist
Phone: 330.325.6354
Email: lnoland@neomed.edu

Office of General Counsel

Northeast Ohio Medical University