Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

BGSU Departmental Procedure

advertisement 
Business Policy & Procedure Manual
PCI DSS DEPARTMENT OPERATING PROCEDURES
HEADER SECTION:
Applicability
Last Revised
Policy Owner
Governing Body
All University Units
3/19/2012
Director of Business Operations
See detail
INTRODUCTION:
Each department is responsible to ensure the following:

Authorized credit card processing users are trained on proper credit card handling per PCI DSS.
The operating procedures below define the basic requirements for users.
o All employees must be trained annually. Incorporate PCI DSS training into new hire
training programs.
o
Obtain and retain signature evidence of training.
o Departments are responsible to create department-specific procedures, if applicable, to
define procedures outside of the scope of this document.

Business Operations is notified of any changes to department credit card processing technologies
and/or procedures. Notify Business Operations immediately if you suspect a breach of
security.

Annual completion and submission of the identified Self-Assessment Questionnaire (SAQ).
OPERATING PROCEDURES:
User Authentication and Access
 User accounts must use a unique identifier, no group or shared accounts are permitted.
o First time passwords must be unique and changed upon first use.
o Passwords must change every 90 days.
o Do not use group or shared passwords.

Restrict access to data on a “need to know” basis.
o Authorization must be completed on a form signed by management defining access.

Verify user identity prior to making any changes including additions, deletions or modifications.
612929438
Page 1 of 3
Printed on: 6/27/2016
Business Policy & Procedure Manual

Users must annually acknowledge understanding of the account policy and procedures.

A process must exist to disable and remove accounts that are no longer needed immediately.

User Accounts must be reviewed; Inactive accounts shall be retired at least every 90 days.
Receipt of Cardholder Data
 Never send or receive un-encrypted Primary Account Number (PAN) through end-user
messaging systems such as email or instant messaging (IM).

Fax is not considered a secure method for transmitting cardholder data and should be eliminated
as a method of data receipt.
Physical Security
 Credit card data is not to be copied – this applies to hard copy data and electronic data.

Physically secure all paper and electronic media that contains cardholder data. “Working
documents” may be locked in a cabinet during the day, but must be returned to a safe or
approved storage facility at the end of the day.

POS devices and other equipment used for processing cardholder data must be kept secure when
not in use. This can be achieved through locking them in a safe or secure cabinet, camera
surveillance, or other approved secure method.
Data Retention and Disposal
 Do not store CC data after processing. Remove and destroy CC data from registration/order
forms.

All sensitive and credit card data must be destroyed when it is no longer required by legal,
contractual, or business need. Paper must be cross-cut shredded or incinerated.
Backup Control Policy
 When transporting credit card information to the Bursar for processing, utilize the courier service
provided by Public Safety.
Wireless Usage Policy
 Contact ITS for secure wireless access when processing credit card transactions remotely.
Self-Assessment Questionnaire (SAQ)
 Department designee, in conjunction with Information Technology Services (ITS) and the PCI
DSS team, must submit the appropriate SAQ annually. The appropriate SAQ is determined by
the department’s processing type and identified on the Campus Merchants list.
612929438
Page 2 of 3
Printed on: 6/27/2016
Business Policy & Procedure Manual
DEFINITIONS:
PCI DSS COMPLIANCE - The Payment Card Industry Data Security Standard (PCI DSS) is a widely
accepted set of policies and procedures intended to optimize the security of credit, debit and cash card
transactions and protect cardholders against misuse of their personal information. The PCI DSS was
created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American
Express.
SELF ASSESSMENT QUESTIONNAIRE (SAQ) – A validation tool to help merchants validate their
compliance with PCI-DSS.
ADDITIONAL INFORMATION:
Once printed, this policy may be outdated. The official policy can be found at
http://www.bgsu.edu/offices/treasurer/index.html .
Additional statements related to PCI DSS may be found in other policies issued by BGSU. See also
BGSU PCI DSS Policies and Procedures Final.
612929438
Page 3 of 3
Printed on: 6/27/2016
Related documents
PCI DSS Primer
PCI DSS Primer
Gathering and using information extracted and integrated from
Gathering and using information extracted and integrated from
NAVIS RESOURCES – Accessible from your reporting group account. Payment Flow Diagram
NAVIS RESOURCES – Accessible from your reporting group account. Payment Flow Diagram
Cubilis by Stardekk
Cubilis by Stardekk
Payment Card - California State University, Sacramento
Payment Card - California State University, Sacramento
The ABC's of PCI DSS - Utility Payment Conference
The ABC's of PCI DSS - Utility Payment Conference
Business Office Forum
Business Office Forum
Longwood University Payment Card Security Procedures
Longwood University Payment Card Security Procedures
Data Security Standard - PCI Security Standards Council
Data Security Standard - PCI Security Standards Council
PCI SSC Getting Started with PCI DSS
PCI SSC Getting Started with PCI DSS
Achieving PCI DSS Compliance with NetMRI
Achieving PCI DSS Compliance with NetMRI
PCI DSS
PCI DSS
Educause+PCI+briefing+4-19-2016
Educause+PCI+briefing+4-19-2016
SAQ A
SAQ A
SAQ B
SAQ B
 SAQ B
 SAQ B
TJ Maxx Settlement Requires Creation of Information Security
TJ Maxx Settlement Requires Creation of Information Security
Self-Assessment Questionnaire C - PCI Security Standards Council
Self-Assessment Questionnaire C - PCI Security Standards Council
Self-Assessment Questionnaire P2PE and Attestation of Compliance
Self-Assessment Questionnaire P2PE and Attestation of Compliance
Instructions and Guidelines Document
Instructions and Guidelines Document
Self-Assessment Questionnaire C-VT and Attestation of Compliance Payment Card Industry (PCI)
Self-Assessment Questionnaire C-VT and Attestation of Compliance Payment Card Industry (PCI)
Self-Assessment Questionnaire C-VT
Self-Assessment Questionnaire C-VT
Download
advertisement