Goal is protection of sensitive data • New Rice policy calls for protection of sensitive personally identifying information • Confidential information includes: - Social Security numbers - Credit card numbers - Driver’s license or other gov’t issued ID - Bank account information - Protected health information - Student education records 1 Credit Card Use at Rice • Rice departments process credit card transactions for the following business purposes: - Receiving donations - Selling merchandise - Registering people for events - Receiving tuition and fees payments • This initiative only concerns payments accepted by Rice. So, Pcards are not included. 2 Credit Card Security • Payment card industry established data security standards (PCI DSS) for credit and debit card transactions • Key points of DSS: - Build and maintain a secure network - Protect cardholder data - Maintain a vulnerability management program - Implement strong access control measures - Regularly monitor and test networks - Maintain an information security policy 3 PCI compliance activities at Rice • • • • • • Committee to manage process Drafted procedures and website Briefing sessions Completed first year assessments Identified issues to be resolved by June 1 Second year assessment due Dec 2011 IF WE HAVE MISSED YOUR DEPARTMENT, PLEASE LET US KNOW! 4 Key Points of University-wide Credit Card procedures 5 • Treat data as confidential. • Data that is not absolutely necessary in order to conduct business will not be retained in any format (e.g., paper or electronic). • Data will not be accepted, requested, or retained via e-mail or other electronic means. • Do not store card-validation codes (the three- or four-digit code) used to validate card-notpresent transactions or the personal identification number (PIN) or encrypted PIN block. • Mask account numbers if and when displayed (i.e., no more than the first six and last four digits of the credit card numbers). • Restrict physical access to records to a “business-need-to-know” using such means as locked file cabinets and restricted file rooms and restrict distribution of such records. • If external media or couriers are used to transmit or transfer such data, means that enable tracking of the data will be used. Any transfer using these or similar means will be approved by appropriate levels of management before the fact. • If this information is shared with any external service providers, vendors’ contractual obligations to comply with the PCI standards will be ensured. Departmental Credit Card Procedures • Departments that accept and handle credit and debit card payments must have departmental procedures • Key issues: • Only keep the information you MUST have to do business. Store paper securely. • Do not store credit card data electronically. • Require external vendors to be PCI DSS compliant; consult with General Counsel. • Contact: Susan Castanza (castanza@rice.edu) 6 Authorization to Process Credit Cards • Application Process: Contact Susan Castanza (x4649) – What is the business need? – How do you propose to accept credit and debit card payments? – What are the various costs associated with accepting credit and debit cards? • Touchnet Payment Gateway is preferred for on-line processing – PCI-DSS compliant • Requires commitment to security compliance 7 Website • Sources of Information: – There is a new web site that gathers all this information together: creditcards.rice.edu • Includes: – Application Process – Security Information – Processing Tips 8 Thanks to Credit Card Committee • • • • • • • • • 9 Rhonda Bethea Krystal Bivens Susan Castanza Randy Castiglioni George Cochrum Jeff Frey Dow Hudlow Rick Mello Ryan Moore • • • • • • • Mike Morgan Frank Rodriguez Karen Rubinsky Marc Scarborough Lynder Watson Janet Covington Veta Byrd