East Carolina University Standard Statement SUBJECT STANDARD STATEMENT RETRIEVAL NO. POLICY DESCRIPTION ORIGINATION DATE ORIGINATOR ISSUE DATE SUPERSEDES NO. PAGE STANDARD STATEMENT – Payment Card Processing Compliance Standards Introduction These standards support the Payment Card Processing Compliance Policy and should be adopted by all East Carolina University departments and employees Standards All University merchant departments must request and receive approval to accept payments by payment card from the Director of Student Financial Services prior to accepting any card payments. All software, hardware, and vendors used in a PCI DSS compliant environment must be approved in writing by ECU Financial Services and ITCS within 90 days prior to purchase of equipment/software/services or execution of contracts. All purchases must be executed in accordance with the ECU Basic Purchasing Procedures. The card payment system must be authorized by OSC before it goes online. Payment Card Systems that move or access Cardholder Data via the campus network must use an approved vendor according to the following order of decreasing preference: o OneStop portal connecting to Touchnet. o If OneStop cannot provide required functionality, application, data, and web hosting (if applicable) must be outsourced to Touchnet. o If Touchnet cannot provide required functionality, the department must obtain written approval from the Vice Chancellor for Administration and Finance and the CIO prior to contacting with an external vendor. This vendor must be certified PCI compliant and approved in writing by ECU Financial Services and ITCS before any contracts are signed or materials purchased. The MDRP shall be responsible for documenting the vendor’s PCI compliance. Storage o Cardholder Data must not be stored on any system, computing or information technology device, server, desktop computer, backup device, or point of sale device without prior review and approval by ECU Financial Services, ITCS, and OSC. o Cardholder Data must not be stored on laptop, notebook, or mobile computers at any time. 1 East Carolina University Standard Statement o Departments’ point of sale devices must be settled daily and cleared after settlement. o Any Cardholder Data in paper format or other hard copy must be stored securely in a limited-access area for a period no longer than is necessary to meet document retention procedures of the individual department. o Access to an area used to process, transmit, or store Payment Card Data must be restricted to authorized University personnel on a need-to-know basis. ID badges, office keys, or comparable security devices must be used to restrict access. All Payment Card information and Cardholder Data must be removed from a University employee’s work area if that employee is not physically present at the workstation. o Storage of the full contents of any track from a Payment Card magnetic stripe, whether on the back of the Payment Card, in a chip, or otherwise, is prohibited. o Storage of the Payment Card validation code (aka CVV code; the three digit value printed on the signature line of the Payment Card) is strictly prohibited. o Storage of the Payment Card account number must be encrypted or truncated. Network and Systems o Any computing or information technology device, server, desktop computer, or other system used to access, process, transmit, or store Payment Card Data must be installed and verified by ITCS after approval by ECU Financial Services. o A Payment Card System must be protected by a firewall approved, installed, maintained, and monitored by ITCS. ITCS will perform a complete network and systems review for verification of Cardholder Data security prior to any Payment Card System being used to access, process, transmit, or store Cardholder Data. Before implementing any changes to a Payment Card System, ITCS must authorize, formally document, plan, and log the changes. o All transmissions of Payment Card Data over public networks must be encrypted through the use of SSL or other industry acceptable methods, using the latest standards as approved by ITCS. o All workstations and servers that are part of a Payment Card System must be dedicated to the functions of the Payment Card System. Applications not required for the Payment Card System, or its security, are prohibited on these computers. o All workstations and servers that are part of a Payment Card System must have appropriate protection against malware and unauthorized access. At minimum, they must have: ITCS-supported anti-virus software installed and operating with current anti-virus definitions ITCS-supported operating system with the latest security patches installed the latest version of vendor-supplied software with the latest security patches installed and optional security settings configured for maximum protection Local firewalls Strong passwords (as defined by ECU Password Strength Policy) System logs 2 East Carolina University Standard Statement Password-protected screen savers enabled and set to activate after the device has been inactive for 10 minutes Hard-wired network connections—no wireless connectivity permitted in the PCI computing environment Physical computers—no virtual machines (virtual computers, e.g., VMWare) permitted in the PCI computing environment. o All information technology devices that are not workstations or servers, but which still function as part of a Payment Card System, must have appropriate compensating controls in place and certified by ITCS to prevent unauthorized access or malware infection. o Remote access to Payment Card systems is prohibited unless required for vendor support. If so, remote access shall be granted temporarily and revoked immediately upon completion of the support task. o ITCS will periodically review the Departments’ system logs, network logs, and backup, disaster recovery, and business continuity plans. System logs must be maintained online for 90 days and offline for the period of 1 calendar year. o If the Payment Card System uses a server located on the ECU campus, the server must be housed in server rooms maintained and secured by ITCS. o Payment Card computers are prohibited from connecting to the ECU wireless network at any time. Display o All but the last four digits of the Payment Card account number must be masked or whenever any other Cardholder Data is displayed, regardless of whether such information appears on paper, fax, email, computer display, log files, or otherwise. o Payment Card Data must not be transmitted via email. o Departments should not take Payment Card Data via cell phone. o Payment Card Data shall not be verbally repeated in front of anyone other than the Payment Card holder or other employees authorized to work with Cardholder Information. o All Payment Card Data must be restricted and/or blocked from the view of thirdparty customers and others without the need to know. Glare screens or similar devices may be used to restrict or block the view of others. Application and Web Development o All software application and/or web development involving the storage, processing, or handling of Payment Card Data must be created following a defined software development life cycle and commonly accepted security guidelines, such as Open Web Application Security Project guidelines, and approved by ITCS prior to purchase, implementation, deployment, or use. o All software utilized in a Payment Card System must be verified as compliant with Payment Application Data Security Standards (PA DSS) prior to purchase and implementation. See link below for additional information and list of approved software vendors. https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml 3 East Carolina University Standard Statement o If a department wants to sell merchandise and/or take Payment Card payments via a website, ECU Financial Services and ITCS must approve all processes and contracts before the department purchases any goods or services. The following options must be used in the following order of preference: OneStop. ITCS will attempt to provide the desired service using the ECU OneStop portal. TouchNet. In the event that the OneStop portal cannot provide the desired service, the department shall contact TouchNet for web hosting and card processing services. PCI-certified third-party vendor. In the event that TouchNet cannot provide the desired service, the department shall contact a PCI-certified third-party vendor to provide web hosting and card processing services. Access o Access to a Payment Card System must be protected by secure login and password, and must be restricted to those with a need to know. Departments that accept Payment Card payments electronically (including without limitation, via personal computer, Internet or voice response) must also follow all applicable regulations. Authorization for Departments to accept Payment Card payments must be obtained in advance of process creation from the 0000Controller’s Office (Student Business Services) for point of sale processing, and from ITCS for electronic processing. o Employee access must be revoked immediately upon termination of employment or change in responsibilities eliminating the need to access Cardholder Data. o Access provided for any individual who is not a University employee, such as contract or temporary employees, must be reviewed in advance by the Office of Risk Management. o Group, shared or generic access to a Payment Card System or Cardholder Data is prohibited. o Prior to sharing Payment Card Data with an external organization, or entering into an arrangement with a vendor to process Payment Card transactions, a written agreement must be reviewed and approved in writing by ECU Financial Services and ITCS. Disposal o When receipts, paper and other hard copies of Payment Card information or Cardholder Data are disposed of, they must be shredded using a cross cut/confetti shredder, or a bonded secure data disposal service. o Disposal of electronic equipment involved in a Payment Card System must be handled in accordance with the University Disk Sanitizing Policy. Security Incidents o Any release or exposure of Payment Card Data to an unauthorized party or unauthorized access to a Payment Card System must be reported to ITCS immediately. o If a Payment Card System was involved in such exposure, release, or unauthorized access, all persons whose information was possibly involved must be notified 4 East Carolina University Standard Statement according to established University policy. Contact the ITCS Help Desk for details. o An emergency response plan will be implemented as necessary. Student Workers o Student workers may serve in a cashier capacity in a payment card PCI DSS compliant environment. A cashier capacity is defined as physically handling one payment card at a time or one payment card holder account at a time. o If a student worker has access to multiple payment card holder accounts during employment then a criminal background check is necessary to meet compliance with PCI DSS requirements. Satellite Collections of Payment Card Data o The merchant department is responsible for all payment card holder data that is processed in their environment whether it is on their behalf or on behalf of another department. o ECU departments or other agents collecting payment card data for processing by the merchant department must be incorporated into the Self Assessment Questionnaire and Security Awareness processes to ensure education about PCI DSS. o The merchant department is responsible for ensuring compliance with PCI DSS and all related ECU policies and procedures at these satellite locations. All vendors with potential access to Payment Card processing systems or the information they contain must be contractually required to adhere to all to rules, regulations, and contractual provisions regarding the handling of Payment Cards and Cardholder Data, including PCI DSS. Departments shall purchase data loss insurance for cardholder data covered by PCI DSS. Any questions regarding compliance with these Standards should be directed to the PCI Committee Contact in Financial Services for submission to the appropriate authority. Definitions 1) Payment Card – Includes credit cards, debit cards, ATM cards, and any other card or device other than cash or checks, issued by a bank or credit union, which is normally presented by a person seeking to make payment, for the purpose of making a payment. 2) Cardholder Data - A Payment Card holder’s name and contact information, Payment Card number, account number, card expiration date, CVV2, CVC2, Payment Card transaction information and/or any other information that may be used to personally identify a Payment Card account or holder. 5 East Carolina University Standard Statement 3) CVV – Card Verification Value or Code. Three or four digit number on the front or back of a payment card used to verify card-not-present transactions. 4) Payment Card System - Any computing or information technology device, server, desktop computer, or other system used to access, store, process, or transmit Cardholder Data. 5) OSC - The North Carolina Office of the State Controller. 6) PCI DSS - Payment Card Industry Data Security Standard. 7) PA DSS – Payment Application Data Security Standard. 8) Locally hosted - Any Payment Card System using computing devices connected to the ECU network to store, process, access, transmit, or receive Cardholder Data. 9) Outsourced - Any Payment Card System using computing devices located off the ECU campus to store, process, access, transmit, or receive Cardholder Data. a) All vendors, networks, and software used in these systems must be certified PCI compliant. b) Departmental workstations on the ECU network that connect to outsourced systems for the purpose of conducting Payment Card transactions must be located on a special area of the ECU data network called the “PCI VLAN” before connecting to the outsourced Payment Card system. 10) MDRP - Merchant Department Responsible Person designated as the individual within a department who will have primary authority and responsibility for Payment Card transaction processing within that department. 11) PCI VLAN - Virtual Local Area Network created to help reduce the risk of unauthorized access to sensitive Cardholder Data. 12) Visa Cardholder Information Security Program (CISP) – Information security program drafted by Visa and adopted by most major credit card companies. 6