PCI Data Security Standards (for accepting credit cards)
Payment Card Industry Data Security Standards (PCI DSS) for Accepting Credit Cards
Boston University is required by the Card Associations to be compliant with the Payment Card Industry (PCI) Data Security Standards, and is committed to providing a secure environment for our customers to protect against both loss and fraud. Boston University must comply with Payment Card Industry (PCI) requirements for securely processing, storing, transmitting and disposing of cardholder data.
A. Payment Card Industry Data Security Standard (PCIDSS)
The PCIDSS is a result of collaboration among the major card brands to create common industry security requirements aiming to protect against both cardholder data exposure and compromise. The following programs incorporate PCIDSS:
|VISA||Cardholder Information Security Program (CISP)|
|MasterCard||Site Data Protection (SDP) Program|
|American Express||Data Security Requirements|
|Discover||Discover Information Security and Compliance (DISC) Program|
The PCIDSS offers a single approach to safeguarding sensitive data for all card brands. Other card companies operating in the U.S. have also endorsed the PCIDSS within their respective programs.
B. Payment Card Industry Data Security Standard (PCIDSS) – Basic Requirements
The PCIDSS consists of twelve basic requirements, and corresponding sub-requirements, categorized as follows:
|PCI Security Standard|
|Build and Maintain a Secure Network||1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
|Protect Cardholder Data||3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public networks
|Maintain a Vulnerability Management Program||5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
|Implement Strong Access Control Measures||7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data”
11. Regularly test security systems and processes
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security|
PCI DSS 1.2 as 03/25/2010
C. PCI Compliance
PCI compliance is required of all merchants and service providers that store, process, or transmit cardholder data. The requirements apply to all payment channels, including retail (in person), mail/telephone order, and e-commerce.
D. Cardholder Data/ Payment Card Data
Cardholder Data/ Payment Card Data is all personally identifiable data about the cardholder (i.e. account number, expiration date, data provided by the cardholder, other electronic data gathered by the merchant/agent, etc.). This term also accounts for other personal insights gathered about the cardholder, i.e., addresses, telephone numbers, magnetic stripe data and CVC2/CVV2.
All individuals authorized to accept payment cards (debit and credit cards) must securely process, store and dispose of payment card data (paper and electronic media) in order to adhere to the Payment Card Industry Data Security Standards (PCIDSS).
In order to protect cardholder data and ensure PCIDSS compliance at Boston University, the following policies must be followed:
- Individuals must comply with the PCIDSS.
- All transactions (including e-commerce) that involve the processing of payment card data (debit and credit cards) are required to utilize the Boston University Cashier System. Please contact the University Cashier at (617) 353-3896, or via email at email@example.com, for further information regarding Cashier System access. The University Cashier, in conjunction with Information Systems and Technology (IS&T), has developed a payment gateway for retail processing, mail/phone orders and e-commerce credit cards. The Cashier System also processes cash and check transactions via Galaxy access. The Cashier System transmits payment card transactions to our processor for deposit and automatically updates the Boston University General Ledger System in summary on a nightly basis. The transaction detail is securely stored on the Cashier System. A web interface to the Cashier System gateway is available to departments that wish to process e-commerce transactions.
- Exceptions to this policy may be granted only after a written request from the unit has been reviewed and is approved by the University Comptroller or his or her designee. Under no circumstance should a department contact a credit card processor directly to obtain access to credit card privileges for Boston University business needs.
- Third party service providers (any entity that handles, reads, transmits or processes payment card data other than the University Cashier’s Office) approved by the Comptroller must state through a formal contract that all associated third parties with access to cardholder data will adhere to the PCIDSS. This contract must clearly define the third party’s obligations and responsibilities in remaining compliant.
- To accept credit card payments at Boston University, University departments may request authorization to become a Visa, MasterCard or Discover merchant. The department must complete and submit a request form to the University Cashier for authorization. The sale of goods and services to entities outside the university community may raise special considerations (e.g. unrelated business tax, accounting or legal issues, etc). Questionable sales should be reviewed by the Comptroller’s Office and/or the Office of General Counsel.
- Payment card data may not be transmitted or stored in any other system, server, personal computer or e-mail account. Departments may store only the last 4 digits of the card number. Under no circumstance will it be permissible to obtain credit card information, or transmit credit card information, by e-mail.
- Physical (paper) cardholder data must be locked in a secure area with access limited to only authorized individuals. These printed materials may include, but are not limited to, paper receipts, paper reports, faxes and customer order forms.
- All transactions (ACH, Cash, Check and Credit Card) processed through the Cashier System at Boston University are electronically stored for a period of ten years. Payment card transactions display only the last four digits of the card number. Only authorized employees with a business need are granted access to the full payment card number; until authorized access, the payment card number is fully masked.
- All payment card numbers will be fully masked (overwritten) within 7 months from the date of the original transaction. Payments designated as a recurring transaction will be fully masked 14 months after the date of the original transaction.
- All media used for credit cards must be destroyed when no longer needed. All hardcopy (paper) must be crosscut shred prior to disposal.
Failure to meet the requirements outlined in this policy may result in suspension of physical and or electronic payment capability for affected units. Additionally, the credit card associations may impose fines. Persons in violation of this policy are subject to a full range of sanctions, including the loss of computer or network access privileges, disciplinary action, suspension, termination of employment and legal action. Some violations may constitute criminal offenses under local, state, and federal laws. The University will carry out its responsibility to report such violations to the appropriate authorities.
PCI DSS Compliance Quick Guidelines
- It is against University Policy to store credit card numbers on any computer, server, or database. This includes Excel spreadsheets.
- Restrict access to card data by business need to know
- Paper documents containing cardholder data must be kept in a secure environment (i.e. safe, locked file cabinet, etc.).
- Restrict physical access to cardholder data.
- Cardholder data must be transmitted securely (i.e. encrypted).
- Email is not an approved way to transmit credit card numbers.
- Fax transmittal of cardholder data is permissible only if the receiving fax is located in a secure environment.
- Paper receipts must be destroyed so that account information is unreadable and cannot be reconstructed.
- Technology changes that affect payment card systems are required to be approved by the University Cashier prior to being implemented.
- Any new systems/software that process payment cards are required to be approved by the University Cashier prior to being purchased.
- Install and maintain a firewall and router configuration to protect cardholder data.
- Use and regularly update anti-virus software.
- Do not use vendor-supplied defaults for systems passwords and other security parameters.
- Assign a unique ID to each person with computer access.
- Computer systems that process payment cards must have the ability to monitor and track access to network resources and cardholder data.
- Report all suspected or known security breaches to the University Cashier.
- Please call the University Cashier if you have any questions at 617-353-3896, or by email at firstname.lastname@example.org.
PCI Compliance Policy for Type A Merchants
- While the University Cashier’s system meets most departments’ business processing and data requirements, in rare cases a University department may have business requirements that cannot be met by the University Cashier’s system. In these instances, departments may request an exemption from using the Cashier’s system for credit card processing. However, exemptions may be granted only after a written request from the unit has been reviewed and approved by the University Comptroller or his or her designee. Units that enter into credit card processing arrangements outside of the Cashier’s System must be certified as PCI compliant, will be required to complete a PCI compliance questionnaire as well as additional training and be subject to regular reviews for continuing compliance. Under no circumstance should a department contact a credit card processor directly to obtain access to credit card privileges for Boston University business needs.
- Any agreement entered into with a third party credit card processor must be documented in a formal contract. The contract will be subject to review and approval by both the Comptroller and the Office of General Counsel and must clearly state that all associated third parties with access to cardholder data will adhere to the PCIDSS. This contract must clearly define the third party’s obligations and responsibilities to remain compliant.
- Special Requirements for Boston University Type A Merchants