Payment card industry data security

Purpose

The purpose of this Policy is to prevent loss or disclosure of sensitive customer information including payment card data. Failure to protect customer information may result in financial loss for customers, suspension of credit card processing privileges, and fines imposed on and damage to the reputation of the unit and the institution.

PCI DSS
The PCI DSS is a mandated set of requirements agreed upon by the five major credit card companies: VISA, MasterCard, Discover, American Express and JCB. These security requirements apply to all transactions surrounding the payment card industry and the merchants/ organizations that accept these cards as forms of payment. Further details about PCI can be found at the PCI Security Standards Council Web site (https://www.pcisecuritystandards.org)

In order to accept credit card payments, Lynn University must prove and maintain compliance with the Payment Card Industry Data Security Standards. The Lynn University’s Payment Card Policy and additional supporting documents provide the requirements for processing, transmission, storage, and disposal of cardholder data transactions. This is done in order to reduce the institutional risk associated with the administration of credit card payments by individual departments and to ensure proper internal control and compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Visa Cardholder Information Security Plan (CISP)
Visa Inc. instituted the Cardholder Information Security Program (CISP) in June 2001. CISP is intended to protect Visa cardholder data - wherever it resides - ensuring that members, merchants, and service providers maintain the highest information security standard. In 2004, the CISP requirements were incorporated into the Payment Card Industry Data Security Standard (PCI DSS).

MasterCard Site Data Protection Program (SDP)
The SDP Program, with the PCI DSS as its foundation, details the data security and compliance validation requirements in place to protect stored and transmitted MasterCard payment account data.

Scope/Applicability

The Lynn University Payment Cards Policy applies to all faculty, staff, students, organizations, third-party vendors, individuals, systems, and networks involved with payment card handling. This includes transmission, storage, and/processing of payment card data, in any form (electronic or paper) on behalf of Lynn University.

Policy

It is the policy of Lynn University to allow acceptance of payment cards as a form of payment for goods and services upon written approval from the PCI Committee. Lynn University requires all departments that accept payment cards to do so only in compliance with the PCI DSS and in accordance with this policy document, the Lynn University payment card procedures, and other supporting documents.

All entities of Lynn University that receive or expect to receive payments electronically must comply with the guidelines and procedures issued by the Vice President of Business and Finance. All entities who wish to take payments via payment cards must be approved by the PCI Committee and the Vice President of Business and Finance. For more details on the specific processes, please contact the PCI Committee for further guidance.

Entities accepting payment cards will sign an agreement with the PCI Committee that details their responsibilities, as well as the security requirements (Payment Card Industry Data Security Standards and related institutional Information Technology Policies) that must be followed. This agreement may be updated from time to time as requirements change. Failure to follow the requirements of the agreement may result in the revocation of your ability to accept card payments.

Entities must accept only payment cards authorized by the PCI Committee and agree to operate in accordance with the contract(s) the Lynn University holds with its Service Provider(s) and the Card Brands. This is to ensure that all transactions are in compliance with the Payment Card Industry Data Security Standards (PCI DSS), Federal Regulations, NACHA rules, service provider contracts, and Lynn University policies regarding security and privacy that pertain to electronic transactions. Merchants are not allowed to store cardholder data (PAN/Name/Service Code/Expiration Date) or Sensitive Authentication Data (Full Magnetic Stripe data, CAV/CVV2/CW2/CID, PIN/Pin/Block) either electronically or physically. It is recommended that Merchants adhere to any University data retention or disposal policies if formulated. Otherwise Merchants are recommended to develop and implement their own data retention and disposal policies or standards, procedures and processes that include at least the following for all cardholder data (CHD) storage:

• Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements;

• Data that is not absolutely necessary in order to conduct business will not be retained in any format. All data will be treated as confidential;

• Specific retention requirements for cardholder data;

• Processes for secure deletion of data when no longer needed;

• A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention;

• Physical access to data records is restricted to staff with a need to know.

Cardholder data (CHD) received via end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.) is never to be used to process a payment. Follow approved departmental procedures for the appropriate method of responding to and securely destroying the cardholder data.

All Processing Equipment is to be obtained via the PCI Committee.

Exceptions to this policy will be limited and will require a business plan (including reason why the available central processing systems will not work for your area) to be submitted and approved by the PCI Committee in advance of any equipment or system purchase.

All payments received must be directed into a Lynn University Approved Bank Account. The type and nature of the electronic transaction (e.g., ACH, Credit Card, Point of Purchase, wire, etc.) will dictate where the transaction will be deposited.

Accounting entries to record the receipt of the payment will be linked directly into the institution’s Financial Information System (FIS), whenever possible, to ensure timely recording of transactions and expedite the prompt reconcilement of general ledger and bank accounts.

Definitions

Payment Card Industry Data Security Standards (PCI DSS)

The security requirements defined by the Payment Card Industry Security Standards Council and the 5 major Credit Card Brands:
• Visa, MasterCard, American Express, Discover, JCB

Cardholder Someone who owns and benefits from the use of a membership card, particularly a credit card.

Card Holder Data (CHD) Those elements of credit card information that are required to be protected. These elements include Primary Account Number (PAN), Cardholder Name, Expiration Date and the Service Code.

Primary Account Number (PAN) Number code of 14 or 16 digits embossed on a bank or credit card and encoded in the card's magnetic strip. PAN identifies the issuer of the card and the account, and includes a check digit as an authentication device.

Cardholder Name The name of the Cardholder to whom the card has been issued.

Expiration Date The date on which a card expires and is no longer valid. The expiration date is embossed, encoded or printed on the card.

Service Code The service code that permits where the card is used and for what.

Sensitive Authentication Data Additional elements of credit card information that are also required to be protected but never stored. These include Magnetic Stripe (i.e., track) data, CAV2, CVC2, CID, or CVV2 data and PIN/PIN block.

Magnetic Stripe (i.e., track) data Data encoded in the magnetic stripe or equivalent data on a chip used for authorization during a card-present transaction. Entities may not retain full magnetic-stripe data after transaction authorization.

CAV2, CVC2, CID, or CVV2 data The three- or four-digit value printed on or to the right of the signature panel or on the face of a payment card used to verify card- not-present transactions.

PIN/PIN block Personal Identification Number entered by cardholder during a card-present transaction, and/or encrypted PIN block present within the transaction message.

Disposal CHD must be disposed of in a certain manner that renders all data un-recoverable. This includes paper documents and any electronic media including computers, hard drives, magnetic tapes, USB storage devices. (Before disposal or repurposing, computer drives should be sanitized in accordance with the (Institution’s) Electronic Data Disposal Policy). The approved disposal methods are:
• Cross-cut shredding, Incineration, Approved shredding or disposal service

Merchant Department Any department or unit (can be a group of departments or a subset of a department) which has been approved by the (institution) to accept credit cards and has been assigned a Merchant identification number.

Merchant Department Responsible Person (MDRP) An individual within the department who has primary authority and responsibility within that department for credit card transactions.

Database A structured electronic format for organizing and maintaining information that is accessible in various ways. Simple examples of databases are tables or spreadsheets

Procedures/Guidelines

Supporting Documents

Supporting documents listed below are available upon request. Please contact the PCI Committee for more details. pci@lynn.edu

• Best Practices
• Annual Merchant Survey
• Department Procedures Attachments
• Payment Card Equipment Inspection Log
• Employee List and Training Log
• Employee Attestation
• Payment Card Security Incident Response Plan
• Application for New Payment Card Merchants


To learn more about this policy or the supporting procedures, please contact Finance.

Policy updated on: Oct. 24, 2018