East Carolina University
Standard Statement
SUBJECT
STANDARD STATEMENT
RETRIEVAL NO.
POLICY DESCRIPTION
ORIGINATION
DATE
ORIGINATOR
ISSUE DATE
SUPERSEDES
NO.
PAGE
STANDARD STATEMENT – Payment Card Processing Compliance Standards
Introduction
These standards support the Payment Card Processing Compliance Policy and should be adopted
by all East Carolina University departments and employees
Standards






All University merchant departments must request and receive approval to accept
payments by payment card from the Director of Student Financial Services prior to
accepting any card payments.
All software, hardware, and vendors used in a PCI DSS compliant environment must be
approved in writing by ECU Financial Services and ITCS within 90 days prior to purchase
of equipment/software/services or execution of contracts.
All purchases must be executed in accordance with the ECU Basic Purchasing Procedures.
The card payment system must be authorized by OSC before it goes online.
Payment Card Systems that move or access Cardholder Data via the campus network must
use an approved vendor according to the following order of decreasing preference:
o OneStop portal connecting to Touchnet.
o If OneStop cannot provide required functionality, application, data, and web
hosting (if applicable) must be outsourced to Touchnet.
o If Touchnet cannot provide required functionality, the department must obtain
written approval from the Vice Chancellor for Administration and Finance and the
CIO prior to contacting with an external vendor. This vendor must be certified
PCI compliant and approved in writing by ECU Financial Services and ITCS
before any contracts are signed or materials purchased. The MDRP shall be
responsible for documenting the vendor’s PCI compliance.
Storage
o Cardholder Data must not be stored on any system, computing or information
technology device, server, desktop computer, backup device, or point of sale
device without prior review and approval by ECU Financial Services, ITCS, and
OSC.
o Cardholder Data must not be stored on laptop, notebook, or mobile computers at
any time.
1
East Carolina University
Standard Statement

o Departments’ point of sale devices must be settled daily and cleared after
settlement.
o Any Cardholder Data in paper format or other hard copy must be stored securely
in a limited-access area for a period no longer than is necessary to meet document
retention procedures of the individual department.
o Access to an area used to process, transmit, or store Payment Card Data must be
restricted to authorized University personnel on a need-to-know basis. ID badges,
office keys, or comparable security devices must be used to restrict access. All
Payment Card information and Cardholder Data must be removed from a
University employee’s work area if that employee is not physically present at the
workstation.
o Storage of the full contents of any track from a Payment Card magnetic stripe,
whether on the back of the Payment Card, in a chip, or otherwise, is prohibited.
o Storage of the Payment Card validation code (aka CVV code; the three digit value
printed on the signature line of the Payment Card) is strictly prohibited.
o Storage of the Payment Card account number must be encrypted or truncated.
Network and Systems
o Any computing or information technology device, server, desktop computer, or
other system used to access, process, transmit, or store Payment Card Data must be
installed and verified by ITCS after approval by ECU Financial Services.
o A Payment Card System must be protected by a firewall approved, installed,
maintained, and monitored by ITCS. ITCS will perform a complete network and
systems review for verification of Cardholder Data security prior to any Payment
Card System being used to access, process, transmit, or store Cardholder Data.
Before implementing any changes to a Payment Card System, ITCS must
authorize, formally document, plan, and log the changes.
o All transmissions of Payment Card Data over public networks must be encrypted
through the use of SSL or other industry acceptable methods, using the latest
standards as approved by ITCS.
o All workstations and servers that are part of a Payment Card System must be
dedicated to the functions of the Payment Card System. Applications not required
for the Payment Card System, or its security, are prohibited on these computers.
o All workstations and servers that are part of a Payment Card System must have
appropriate protection against malware and unauthorized access. At minimum,
they must have:
 ITCS-supported anti-virus software installed and operating with current
anti-virus definitions
 ITCS-supported operating system with the latest security patches installed
 the latest version of vendor-supplied software with the latest security
patches installed and optional security settings configured for maximum
protection
 Local firewalls
 Strong passwords (as defined by ECU Password Strength Policy)
 System logs
2
East Carolina University
Standard Statement



Password-protected screen savers enabled and set to activate after the
device has been inactive for 10 minutes
 Hard-wired network connections—no wireless connectivity permitted in
the PCI computing environment
 Physical computers—no virtual machines (virtual computers, e.g.,
VMWare) permitted in the PCI computing environment.
o All information technology devices that are not workstations or servers, but which
still function as part of a Payment Card System, must have appropriate
compensating controls in place and certified by ITCS to prevent unauthorized
access or malware infection.
o Remote access to Payment Card systems is prohibited unless required for vendor
support. If so, remote access shall be granted temporarily and revoked
immediately upon completion of the support task.
o ITCS will periodically review the Departments’ system logs, network logs, and
backup, disaster recovery, and business continuity plans. System logs must be
maintained online for 90 days and offline for the period of 1 calendar year.
o If the Payment Card System uses a server located on the ECU campus, the server
must be housed in server rooms maintained and secured by ITCS.
o Payment Card computers are prohibited from connecting to the ECU wireless
network at any time.
Display
o All but the last four digits of the Payment Card account number must be masked or
whenever any other Cardholder Data is displayed, regardless of whether such
information appears on paper, fax, email, computer display, log files, or otherwise.
o Payment Card Data must not be transmitted via email.
o Departments should not take Payment Card Data via cell phone.
o Payment Card Data shall not be verbally repeated in front of anyone other than the
Payment Card holder or other employees authorized to work with Cardholder
Information.
o All Payment Card Data must be restricted and/or blocked from the view of thirdparty customers and others without the need to know. Glare screens or similar
devices may be used to restrict or block the view of others.
Application and Web Development
o All software application and/or web development involving the storage,
processing, or handling of Payment Card Data must be created following a defined
software development life cycle and commonly accepted security guidelines, such
as Open Web Application Security Project guidelines, and approved by ITCS prior
to purchase, implementation, deployment, or use.
o All software utilized in a Payment Card System must be verified as compliant with
Payment Application Data Security Standards (PA DSS) prior to purchase and
implementation. See link below for additional information and list of approved
software vendors.
https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml
3
East Carolina University
Standard Statement



o If a department wants to sell merchandise and/or take Payment Card payments via
a website, ECU Financial Services and ITCS must approve all processes and
contracts before the department purchases any goods or services. The following
options must be used in the following order of preference:
 OneStop. ITCS will attempt to provide the desired service using the ECU
OneStop portal.
 TouchNet. In the event that the OneStop portal cannot provide the desired
service, the department shall contact TouchNet for web hosting and card
processing services.
 PCI-certified third-party vendor. In the event that TouchNet cannot
provide the desired service, the department shall contact a PCI-certified
third-party vendor to provide web hosting and card processing services.
Access
o Access to a Payment Card System must be protected by secure login and
password, and must be restricted to those with a need to know. Departments that
accept Payment Card payments electronically (including without limitation, via
personal computer, Internet or voice response) must also follow all applicable
regulations. Authorization for Departments to accept Payment Card payments
must be obtained in advance of process creation from the 0000Controller’s Office
(Student Business Services) for point of sale processing, and from ITCS for
electronic processing.
o Employee access must be revoked immediately upon termination of employment
or change in responsibilities eliminating the need to access Cardholder Data.
o Access provided for any individual who is not a University employee, such as
contract or temporary employees, must be reviewed in advance by the Office of
Risk Management.
o Group, shared or generic access to a Payment Card System or Cardholder Data is
prohibited.
o Prior to sharing Payment Card Data with an external organization, or entering into
an arrangement with a vendor to process Payment Card transactions, a written
agreement must be reviewed and approved in writing by ECU Financial Services
and ITCS.
Disposal
o When receipts, paper and other hard copies of Payment Card information or
Cardholder Data are disposed of, they must be shredded using a cross cut/confetti
shredder, or a bonded secure data disposal service.
o Disposal of electronic equipment involved in a Payment Card System must be
handled in accordance with the University Disk Sanitizing Policy.
Security Incidents
o Any release or exposure of Payment Card Data to an unauthorized party or
unauthorized access to a Payment Card System must be reported to ITCS
immediately.
o If a Payment Card System was involved in such exposure, release, or unauthorized
access, all persons whose information was possibly involved must be notified
4
East Carolina University
Standard Statement
according to established University policy. Contact the ITCS Help Desk for
details.
o An emergency response plan will be implemented as necessary.


Student Workers
o Student workers may serve in a cashier capacity in a payment card PCI DSS
compliant environment. A cashier capacity is defined as physically handling one
payment card at a time or one payment card holder account at a time.
o If a student worker has access to multiple payment card holder accounts during
employment then a criminal background check is necessary to meet compliance
with PCI DSS requirements.
Satellite Collections of Payment Card Data
o The merchant department is responsible for all payment card holder data that is
processed in their environment whether it is on their behalf or on behalf of another
department.
o ECU departments or other agents collecting payment card data for processing by
the merchant department must be incorporated into the Self Assessment
Questionnaire and Security Awareness processes to ensure education about PCI
DSS.
o The merchant department is responsible for ensuring compliance with PCI DSS
and all related ECU policies and procedures at these satellite locations.

All vendors with potential access to Payment Card processing systems or the information
they contain must be contractually required to adhere to all to rules, regulations, and
contractual provisions regarding the handling of Payment Cards and Cardholder Data,
including PCI DSS.

Departments shall purchase data loss insurance for cardholder data covered by PCI DSS.

Any questions regarding compliance with these Standards should be directed to the PCI
Committee Contact in Financial Services for submission to the appropriate authority.
Definitions
1) Payment Card – Includes credit cards, debit cards, ATM cards, and any other card or device
other than cash or checks, issued by a bank or credit union, which is normally presented by a
person seeking to make payment, for the purpose of making a payment.
2) Cardholder Data - A Payment Card holder’s name and contact information, Payment Card
number, account number, card expiration date, CVV2, CVC2, Payment Card transaction
information and/or any other information that may be used to personally identify a Payment
Card account or holder.
5
East Carolina University
Standard Statement
3) CVV – Card Verification Value or Code. Three or four digit number on the front or back of a
payment card used to verify card-not-present transactions.
4) Payment Card System - Any computing or information technology device, server, desktop
computer, or other system used to access, store, process, or transmit Cardholder Data.
5) OSC - The North Carolina Office of the State Controller.
6) PCI DSS - Payment Card Industry Data Security Standard.
7) PA DSS – Payment Application Data Security Standard.
8) Locally hosted - Any Payment Card System using computing devices connected to the ECU
network to store, process, access, transmit, or receive Cardholder Data.
9) Outsourced - Any Payment Card System using computing devices located off the ECU
campus to store, process, access, transmit, or receive Cardholder Data.
a) All vendors, networks, and software used in these systems must be certified PCI
compliant.
b) Departmental workstations on the ECU network that connect to outsourced systems for
the purpose of conducting Payment Card transactions must be located on a special area of
the ECU data network called the “PCI VLAN” before connecting to the outsourced
Payment Card system.
10) MDRP - Merchant Department Responsible Person designated as the individual within a
department who will have primary authority and responsibility for Payment Card transaction
processing within that department.
11) PCI VLAN - Virtual Local Area Network created to help reduce the risk of unauthorized
access to sensitive Cardholder Data.
12) Visa Cardholder Information Security Program (CISP) – Information security program
drafted by Visa and adopted by most major credit card companies.
6